It’s a significant undertaking, with a looming deadline (25th May 2018) and significant fines for non-compliance. There’s a lot to get ready.
But, the truth is that GDPR is a good thing and – as Elizabeth Denham, the UK’s Information Commissioner has been at pains to point out – its implementation, even for smaller businesses, should be neither scary nor onerous.
What is GDPR and why do we need it?
GDPR – the General Data Protection Regulation
[1] – is a new law across the European Economic Area (EEA) and in the UK, replaces the Data Protection Act 1998. It is intended to strengthen controls that individuals have over their data and their right to privacy, and it thereby requires greater controls by companies who control and process personal data.
Think back 20 years. There was no iPhone (2007) and no Facebook (2004). The way that personal data was used, and the volume of data shared, when the 1998 act came into force was very different from today. GDPR aims to bring data protection rules into line with modern day practice.
It applies to “personal data”, which means “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
In the UK, GDPR will be administered and enforced by the Information Commissioner’s Office (the ICO,
ico.org.uk).
Why is GDPR good for your business?
Research shows that individuals are concerned about the use (and possible misuse) of their personal data: two-thirds are concerned about not having complete control over the information they provide online; 31% think they have no control over it at all.
[2]
As Denham says, the new rules are about “greater transparency, enhanced rights for citizens and increased accountability”.
[3]
For businesses complying with GDPR, a principle based approach to managing their privacy program will enable them to consistently apply privacy requirements in processes and products, ultimately enabling an enhanced trust relationship with customers.
And, of course, trust is the foundation of valuable, ongoing customer relationships.
Is my business exempt from GDPR?
One of the first steps in preparing for GDPR is to understand what personal data your business holds and what you use it for, keeping in mind that your employee data, not only customer data, is also covered by the regulation.
Smaller businesses (with less than 250 staff) have some exceptions but are not exempt. That said, the ICO has produced a wealth of useful information, guides, self-assessment tools and a help-line specifically for smaller organisations, see below.
Also, remember that GDPR applies to any organisation processing the personal data of any EU citizen. Even online retailers in America or China are affected if they deal with EU customers.
What can I do?
Don’t panic.
But, don’t stick your head in the sand either.
A lot of GDPR is simply best practice and compliance with existing regulations gives you a great starting point. However, the new rules will probably mean you need some new processes and policies.
5.Finally, if all else fails, the ICO has set up an
Advice Service for small organisations.
There are penalties for non-compliance but, as the ICO says, fines are a last resort:
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
[4]
GDPR is about doing the right thing for your customers and with their data. It may be unavoidable, but it’s also a good thing for your business. If you haven’t already started, begin today and help your customers (and staff and suppliers) see that you respect them and their information.
Further resources
The ICO provides general advice, but it also recommends contacting the professional or trade body for your specific industry. Many of these are running events and webinars between now and May to help members understand how GDPR affects their operations.
Here are some other useful resources:
1.For charities
a.The ICO provides specific guidance for
charities.
2.Are you GDPR Ready? –
this excellent video from the Federation of Small Businesses (FSB) gives a useful overview of GDPR. It’s the first in a series of three.
3.ICO’s series of myth-busting blogs. Written by Elizabeth Denham and Deputy Commissioner Steve Wood, these
5 blog posts (covering 9 common myths) are a useful way to see beyond the hysterical headlines and understand the ICO’s intent.
4.The European Commission site is also a useful source of
information.
5.The International Association of Privacy Professionals's policy neutral and the world’s largest information privacy organization, read more
here.