GDPR: What It Is – And What You Need To Do To Avoid A €20m Fine
Unless you’ve been living under a rock, you can’t have failed to notice the swirling news stories about General Data Protection Regulation (GDPR) in the news. Although this is pan-EU legislation, it’s impact will be global, as will the threat of €20m fines or 4% of a business turnover, whichever is higher.
Now, it’s safe to say that most of us don’t have this kind of money to spend on things we like, never mind in fines. But from May 25, 2018, your business must comply as the regulation passes into enforcement. It’s all to do with protecting the personal data of all the citizens of the 28 member states of the EU. If you’re doing any business with the EU, then you need to comply.
While the law is designed to harmonize Europe’s data privacy laws and offer greater personal protection, which is a good thing, there’s no denying that it is causing big and small businesses a headache as they rush to get their house in order.
Whether you’re an individual, a company, or an organization, you need to be sure you’re on the right side of the law. The law considers people who “control” or “process” personal data (got an email list or need people to sign up to your site? That’s you) which can be used to identify people needs to be protected.
Whether it’s a name, an IP address, even genetic data or information about their religious views is included. If it’s personal information, then it’s covered. One major difference with older iterations of this law is that this matters even with a pseudonym. Yes, even fake internet personas are covered with this law.
Not only as businesses to be more stringent about protecting users’ data, they also need to allow those individuals free and easy access to their data. Don’t want to share it with them? Better pay up that fine, because you’re breaching the guidelines, no matter where you and your business are located.
If you’re a startup, it’s worth looking very closely at this process, as many startups tend to sidestep “boring details” such as personal data in favor of the blue sky ideas, marketing blitzes, and excitement of building a new business.
You are now required to be fully accountable for your handling of personal data, even if you’re the kind of person who collects it, then forgets about it. Part of the reason this legislation was introduced was due to the huge data breaches that have happened in the past few years.
So many websites have been hacked, and many people have had their personal details stolen – and companies, up to now, have typically kept quiet about such breaches. They are, after all, bad for business. However, with GDPR, you now have 72 hours to report such a breach. If you don’t, you’re going to get a large fine.
In addition to this, people have a lot more autonomy over the data which they have collected from you. Some companies used to charge for access their private data. Whether an administrative charge or just an opportune moment of profiteering, this is now illegal – and information requests must be honored free of charge. In addition to this, if you make any decisions regarding the use of their data, then you need to inform users first. Users can even request that their data be erased.
As you can see, this is a large, all-encompassing law that is really forcing businesses globally – who deal with the EU – to rethink many of their policies. Why? Well, as much as the changes are a pain, the fines are even more painful.
The figures are eye-watering: €20 million or 4% of a firms revenue – whichever is higher. You read that right. That’s a huge amount of money, and the fines will be applied globally through political channels: the US, for example, has already agreed to assist the EU in enforcement. With that said, there is likely to be some leniency in the early days, particularly when there is evidence that a company is trying to comply, but made a mistake. But if you choose to ignore this and continue to deal in the EU, then you will find yourself with a bill that you wil – realistically – never be able to pay off in a single lifetime.
Scary? Perhaps. However, there are many guides and tools out there right now to help expedite this process and remove the confusion. After all, you’re running a business, and the last thing you want is to drop everything and fix some legal headache in another part of the world.
Depending where you are, it’s worth looking up local phone lines or help centers, as some countries have specially set them up to help businesses to comply with help from experts. Typically, these services will answer questions and assist with confusion, making the process that little bit smoother.
Alternatively, you could follow the example of tech firms like Facebook, who moved 70% of its users to be registered in the United States rather than Ireland, moving them outside the scope of GDPR. However, it remains to be seen whether this works.
GDPR is coming soon – are you ready?
