Will GDPR affect my business?
Does your business operate within the European Union (EU)? Or supply services or goods to anyone within the EU? Or monitor EU citizens? If you answered yes to any of these questions then yes, the General Data Protection Regulation (GDPR) should affect your business processes. The GDPR is the new governing legislation for the acceptable processing of personal data across the EU. Personal data is information regarding an identifiable, living person. Processing includes the storage, transfer, and use of personal data.
Does the Size of my Organisation Matter?
If your organisation processes personal data, you must understand the directives GDPR will place on your processing activities. Complying with GDPR, and processing data responsibly, is the law. Despite no business being fully exempt from GDPR, small and medium-sized enterprises (SMEs) have slightly less requirements around documenting their GDPR compliance than larger organisations. Businesses with 250 or more employees are required to document all of their processing activitie whilst, on the other hand, businesses with less than 250 employees are only required to document their processing if any of the following conditions are met:
- The processing activity is regular, rather than occasional
- The activity could risk the rights and freedoms of data subjects (those whose personal data is being processed)
- Special category data (data regarded as highly sensitive and subject to greater restrictions) or data regarding criminal convictions/offences is being processed
Do I Need to Appoint a DPO?
A Data Protection Officer (DPO) is an individual not involved in data processing activities, and who is responsible for ensuring your business remains complaint with data protection legislation e.g. the UK's implementation of GDPR, The Data Protection Act (2018). Not all organisations are required to appoint a DPO, but all are permitted to appoint one should they so wish. Organisations that meet the following criteria must appoint a DPO under GDPR law:
- You are a public authority
- The core activities of your business require regular, largescale monitoring of individuals
- The core activities of your business require large scale processing of special category data or information about criminal convictions/offences
Sectors Which Will be Most Affected
Sectors that process a large volume of special category data (e.g. health data, religious beliefs, political opinions, race, ethnicity, trade union membership, genetics, ID biometrics, sex life or sexual orientation) need to pay particular attention to the conditions under which this type of data can and should be processed. Sectors that might process this type of data include health organisations, some charities, and religious organisations like churches.
Another sector taking a hit from GDPR implementation is Marketing. Many marketing departments have routinely relied upon extensive email databases, often bought or scraped (copied from websites) for promotional purposes. Both of these means of obtaining email addresses are forbidden under GDPR legislation since email addresses, particularly non-business ones, fall under the category of personal data. Cold calling practices have also come under scrutiny. Whilst cold calling is still permitted, a balancing test needs to be performed to weigh up the interests of your business against the data subject's before using their data for this purpose. Business-to-business (B2B) marketing has benefited from a more lenient outlook under the GDPR, allowing data to be processed for legitimate purposes without consent, as long as an opt-out option is easily accessible. Whilst a large amount of time will need to be invested into making sure marketers are GDPR compliant, this offers an opportunity for organisations to introduce best practice when it comes to collecting data, and to streamline their marketing strategies for the better.
Sectors that are required to process children's personal data, such as childcare services, schools and some clubs are under an additional set of restrictions. Issues surrounding the ability to consent and understanding of data processing purposes taint the way in which organisations handle children's data. Largely speaking, children under the age of 13 require a parent or guardian with parental responsibilities to consent on their behalf.
Human resources (HR) departments handle copious amounts of employee data. In order to protect employees, HR staff must undergo regular data protection training and fully understand the implications of GDPR on their job role.
Why is GDPR Important to My Business?
GDPR has provided a single set of rules for all EU companies to abide by, thus levelling the playing-field for your business and making data transfers between EU countries more seamless. Non-compliance can result in data breaches, which can have huge consequences for your business and its data subjects alike. Following introduction of the GDPR, possible fines for a serious data breach have rocketed to €20 million or 4% of your business' annual turnover, whichever is greater. The governing body within the UK, which ensures organisations are GDPR compliant, is the Information Commissioner's Office (ICO). As well as monetary penalties, a data breach could result in a serious loss of confidence in your business and a permanent staining of your reputation, arguably a business' most precious asset. It is vital that you implement good data security measures and conduct systematic monitoring of your data set. Data protection training can help your staff remain GDPR compliant and prevent financial and reputational repercussions.