What is GDPR?

GDPR is the new EU Data Protection Regulations which will come into effect on 25 May 2018. GDPR gives consumers greater control over how their personal data is used by your business and ensures best practice in storing data and reporting losses of data.

The new regulations apply to all businesses operating within the EU, small or large, however, there are some exemptions from certain aspects of the regulations for small and medium businesses.

Compliance with the new regulations will initially require changes to be made within your business. However, the benefit for your business from the introduction of GDPR is there is a single EU-wide set of Data Protection Regulations to comply with instead of a different set of regulations for every individual country. This will be of great benefit to your business if you trade cross-border within the EU.

What changes under GDPR?

  1. From 25 May 2018, all businesses become accountable for their compliance with GDPR and will have to be able to prove their compliance with the regulations. This includes maintaining records of all data processed so it can be reviewed by the supervisory authority.
  2. Collection of personal information will be subjected to stricter regulations around consent and disclosure of future uses of data collected. The new regulations aim to ensure that providing consent to use your personal information is clearer to the consumer, and can be withdrawn at any time with ease. For example, it will no longer be acceptable to have a pre-ticked box on an online form giving consent for future use of consumer data.
  3. GDPR will also provide the consumer with new and improved rights to the information held about them by your business, including the right to request a copy of all information held at any time. Consumers will also have enhanced rights in relation to being removed from your database at any time – the so-called ‘right to be forgotten‘.
  4. Your businesses privacy policy in relation to data protection is required to be written in plain, easy to understand language and to provide more transparency between your business and the consumer.
  5. You will be required to report all privacy breaches to the Data Commissioner within 72 hours, and, depending on the severity of the breach, the affected parties will also have to be notified of the data breach.
  6. It requires businesses to appoint a Data Protection Officer. Small businesses are exempt from this requirement.
  7. The territorial scope of the regulations has been broadened. Therefore, companies based outside the EU who process information relating to EU residents, are also required to comply with the new regulations.

Are there exemptions for small/medium businesses?

Small or medium businesses will not be required to appoint a data protection officer if they are not processing a large quantity of data.

There are also less stringent reporting requirements for minor breaches in security, where, unless the rights or freedoms of the consumer are affected, the breach does not have to be reported to them.

Overall, however, there are no major exemptions. All businesses, small or large, are going to be affected by the new regulations.

Are there the consequences of non-compliance?

The consequences for non-compliance are extreme, with the possibility of fines up to €20M or 4% of worldwide turnover.

How do I get my business ready for GDPR?

Don’t panic. It’s not too late, but it is vital to start preparing now.

The new regulations come into effect from 25 May 2018, and it is your responsibility to ensure your business is compliant by this date. Below are some of the steps you can take now to help prepare your business for the new regulations:

  1. Review all client data currently held by your company, and update where necessary. Old, outdated information should be deleted.
  2. Ensure you are able to demonstrate your compliance with GDPR from 25 May 2018.
  3. Ensure that detailed data processing records are maintained.
  4. Review your internal policies and procedures around data protection and data recording. Who inputs the data? Where is it stored? We have had a data breach -what do we do? An individual has requested to be ‘forgotten’ – how do we do this? This is a very important area. For example, should an individual request all their details to be removed from your database and then receive an email advising them of your, ‘Summer sale,’ you are in breach of GDPR.
  5. Update all data privacy notices to ensure, and to state, you are compliant with GDPR.
  6. Attend a training course and review GDPR checklists to ensure compliance. Although small businesses are exempt from appointing a data protection officer, management and staff need to be up-to-date on the requirements of the new regulations.
  7. For larger businesses – appoint a Data Protection Officer, provide training and budget for compliance costs.

Note on ‘right to be forgotten’

If an individual has requested to be ‘forgotten’ you are entitled to retain information for ‘archiving purposes in the public interest’. Therefore, accountants, for example, can and must retain files for 6 years for revenue purposes.