The EU General Data Protection Regulation (Danish: Persondataforordningen) takes effect on 25th May 2018, leaving all from small businesses to large enterprises left with little over a year left to ensure they can comply with the requirements. There have been tons of debates about the effects, the fines, and the confusion. Is this something that all companies should fear?
It seems that the new EU General Data Protection Regulation (GDPR) has created a bit fear and confusion in regards to how it will affect one's company - no matter the size. There are fines, increased control and tighter regulations – that does sound risky.
The GDPR is going to affect every organisation – also the self-employed, start-ups and smaller businesses that process EU residents’ personally identifiable information.
Here is a summary of how the GDPR arose; the European Commission made a proposal in January 2012 calling for a change in the Data Protection Directive (which we are still under currently) due to the variation in when following national law. The European Parliament agrees with the proposal, negotiates in 2015 and in May 2016 the GDPR is published giving all organisations a two-year implementation period. Here we are nine months later with 15 months to go.
The GDPR’s objective is, amongst other things, to increase data flow and legal certainty, unify data protection and enhance the confidence of the consumer across all 28 EU member states.
The horror comes when you hear what GDPR non-compliancy can cost your company: up to 4% of an organisations turnover or €20 million. This could mean insolvency for many – however so can a lot of other scenarios of non-compliance. It makes sense to have grave consequences if you chance your ability to fly above the law.
In the world today, data breaches are getting common in a data-focused world and the majority of organisations – if not all – in any business, are vulnerable. For example, customer loyalty is a fundamental factor in tons of industries. Not being able to protect the customers’ personal data could potentially break the customer trust and thereby break the brand.
So what should an organisation do? In short, companies should be responsive to the new responsibilities and be proactively prepared.
That is easy to say, and harder to get done, of course, however listing a few of the benefits and ways to utilise the GDPR might be a way to approach the project with a the-glass-is-half-full mentality – here are a few reasons why the GDPR can be good for your company:
1. You do not have to keep the data forever.
Retention periods will sound ‘no longer than necessary’ – hence the need to store all data permanently is no longer an issue. If you want to keep your data longer than necessary, it is possible IF the data has historical, scientific or statistical purposes. Shorter retention periods than necessary are also possible with infamous new phrase ‘The right to be forgotten.'
2. Fewer conflicting obligations for the organisations
The R in GDPR stands for regulation – and that trumps Directive. The regulation beats the directive, meaning that a regulation is directly applicable to all 28 members of the EU. The soon-to-be-former Directive had to get interpreted into each nation's law, and it is not difficult to imagine how varied these interpretations could be. Not to mention the complications when doing business with other EU member states. As an extra bonus, the rest of the world have to comply with this too if they are purposely conducting business directed at EU residents.
3. The realisation
It may sound like a lot of work – and it will be in the beginning – but the GDPR will be the wake-up-call your business needs to gather all data, review all systems and get prepared for a new era of personal data handling. It is inevitable as time change. Remember 15 years ago when most data were in hard copy? Picture the frustration back when all documents and data had to get scanned. You had to tag it, store it, control it, retrieve it, re-scan it and maybe, a few years later, convert the files and improve the quality, etc. And all of this had to be done according to regulations, and with the most efficient process available for the allocated money in the budget. It is part of the business, and it has got to get done.
It is hard to measure the return of data- and document clean-up investment on the business bottom line, however taking the risk of not having data controlled and compliant could, in turn, have a devastating effect, which will be visible in the annual report’s cost-field. The GDPR could pose as a mean to get upper management (should they normally not be keen to invest) to see the necessity of cleaning, systemising, preparing and investing in the compliance of the GDPR. If not, get their rejection in written form.
4. You might have to get a DPO (Data Protection Officer)
If your core business revolves around personal data, it would be a good idea to invest in a DPO. However, if it is not your core business, you might not need one. Hospitals and insurance companies definitely need one. Research, where personal data is collected would also benefit from hirering a DPO. The SMB IT consultancy company do not need one. It all depends on the amount of data and the amount of time you are holding on to the data.
The DPO role would include amongst other things:
- Inform your employees who work with personal data of their responsibilities according to the GPDR and other EU or national requirements.
- Keep track of compliance with these, delivery of responsibilities, training, and inclusion of the employees involved in the processing of the data.
- Collaborate with authorities and be the company’s representative on personal data issues matters.
- Ensure that the so-called data subjects (the particular person behind the personal data) are aware of their rights regarding consent, extraction of consent and all of the rights that belongs to them.
- …and more. Or less. Again, it depends on your company profile.
The lines are obviously not all that clear yet, and at some point it might be learning by doing. The important thing in essence is; you have to be able to prove your compliancy, which brings us to...:
5. CLEAN UP YOUR DATA.
Get on in now rather than later as we know that basically all types of data – big or small – are exponentially increasing; the longer you wait, the more data there will be and less time. And remember, a lot of the requirements in the GDPR are softer for some industries. It is crucial to take your company’s type of business and mission into consideration when assessing the impact of the GDPR.
Closing up, the GDPR is not as bad as it can sound at times. With any new and very consequential change, you need to get your hands dirty (or hire people to do it), gain and share knowledge and in no time it will be the new way business.
You can find a simplified illustration of the GDPR here.
På dansk her.