The General Data Protection Regulation (GDPR) is the European Union’s data privacy and security law which came into effect on 25th May 2018. GDPR introduces a wide range of compliance requirements for organisations in Europe and around the world as long as they target or collect personal data related to people in the EU and its non-compliance would impose heavy fines on the organisations. In this article we will explore 1. How to find out if GDPR is applicable to your business, 2. Guide to ensure GDPR compliance and 3, Inform you about the repercussions, if you fail to comply with GDPR.
7 Principles of the GDPR:
Article 5 of the GDPR contains 7 principles on which the General Data Protection Regulation is based:
1. Lawfulness, fairness, and transparency.
2. Purpose Limitation.
3. Data minimization.
5. Storage Limitation.
6. Integrity and Confidentiality.
How do you find out if GDPR is applicable to your business?
GDPR is applicable to companies and entities:
● Regardless of where the data is being processed, if a company/entity’s operation requires them to process personal data in any of the branches situated in the EU.
● A company not situated in the EU offering goods/services (either paid or free) or monitoring the behaviours of European Union’s Individuals.
● If Micro, Small and Medium Enterprise(s) (MSME) are processing personal data of the individuals of the EU, whether situated in or outside the EU the GDPR will be applicable.
● If data protection is not a part of the core business of an organisation, the business activities does not create a risk for the individuals then some obligations are waived off.
● When are the Regulations applicable?
Your company is a small Edu-tech company which is based outside the EU. You are targeting Spanish and Portuguese Universities. You offer free advice and study materials to the students, but students need a username and a password to access the material from your website. Your organisation provides the username and password after the students fill up an enrollment form. In this case, the GDPR regulations apply to your organisation.
● When are the regulations not applicable?
Your organisation is a service provider based outside of the EU; your customers are outside the EU. Your clients can avail your services even when they are travelling to other countries, including the EU. This is based upon the requirement that your organisation is not exclusively targeting EU’s individuals, as long as that is ensured you are not subject to GDPR application.
How can you ensure GDPR compliance?
The GDPR requires the businesses to comply with a set of standard requirements and takes a step further to demonstrate how they are complying with the regulation. Companies must ensure that data protection is embedded into the business as per Article 25 following the principles of Privacy by Design and Privacy by Default.
You can take the following steps to ensure your compliance:
● Update your privacy notices
You need to explain to your clients through updates privacy notices that why are you collecting their information, what will you do with the information, for how long will it be in your possession, who else will have access to it and where will it be stored. Ensure that you get proper acceptance from them.
● Identify the personal data you already hold
Start by identifying all the personal data you currently hold and remove the data you don’t require. Ensure that the data collected is used only for the purpose it was collected for.
● Use a secure email service
GDPR is applicable to all forms of communication including mails. Sharing of personal information through emails must be done through a secure email client.
● Prepare for a data breach scenario
Even with all the safety measures, a data breach might happen. Your plan must be able to detect a breach, stop it immediately, prevent similar breaches in the future. The affected individuals and the regulators must be informed about the same within 72 hours.
● Prepare to delete Customer data
GDPR gives the individuals a right to be forgotten hence they can request for their data to be deleted. The proof of the deletion must be provided to the customer.
● Prepare for Data access requests
GDPR gives the customers a right to know what data you are holding about them, and they can request an electronic copy of the same at any time. The organisation is required to deliver the data securely within 30 days in a usable electronic format.
● Build a data protection culture
Ensure that your employees are aware about the importance and necessity of complying with GDPR. Encourage the thought that data is a very valuable commodity, and it must be protected. Appoint a data protection officer in the organisation and they will be responsible for keeping a tab on new regulations, implementations, documentations and ensuring compliance.
Is someone exempt from compliance?
There can arise a lot of misconceptions and confusions regarding GDPR exemptions granted to MSMEs and individuals. There are some limited exceptions provided to some, other than that all the bodies are required to comply with GDPR.
Here are some restricted GDPR exemptions linked to personal data:
● When the data being processed is out of the ambit of the Legislation of the European Union.
● GDPR is not applicable on the entities processing data for personal and household activities.
● GDPR is not applicable on government and law enforcement bodies if the data being gathered is used in the national interest for prevention, detection, or prosecution of criminal offenses, preventing threats to public safety.
● GDPR is not applicable to the processing of personal data for activities which are included in Chapter 2, Title V of the Treaty on European Union. It is about the Union’s external action and specific provisions on the common foreign and security policy.
What happens if you fail to comply with GDPR?
The consequences of non-compliance of GDPR are not just fiscal, they are moral as well. The Information Commissioner’s Office (ICO) of GDPR has said earlier that “GDPR is more about putting the privacy of the citizens first rather than just imposing fines, and that fines are a last resort.”
The consequences of not complying with GDPR are:
● Heavy financial penalties
Organisations who fail to comply or have a data breach in the most desperate cases could be fined up to 17 million euros or up to 4% of a company’s annual turnover. The upper limit for fines is currently at 500,000 pounds. The fine is decided on a variety of factors such as the duration of the breach, previous history of the company, the kind of data involved, intentional or negligent breach etc.
● Damaged Reputation
It damages a company’s reputation with its customers, clients, and other businesses as well. The news of data leaks and security concerns gets sensational these days so the companies must be very careful.
● Compensation for damages
The GDPR gives individuals the right to claim damages for data breach and non-compliance by any company under the jurisdiction. Thus, in the case of a major data leak, a humongous number of claims can arise which might be heavy on the company’s pockets.
Companies that failed to comply with GDPR beyond the May 25, 2018 deadline had to pay substantial fines. Organizations storing EU customer data, for example, faced a punishment of up to EUR 20 million or 4% of their entire global turnover for the previous fiscal year, whichever was greater. In a nutshell, GDPR should not be taken lightly. Small and large businesses that process EU personally identifiable data should immediately adopt the laws to provide a secure environment for their customers. After all, a safe environment for data is for sustainable business opportunities.