Chances are high that you’re already aware about the EU’s General Data Protection Regulation or GDPR. Do you know if you’re not familiar with its complex details, your business can land in a soup and you may be fined heavily on charges of non-compliance? Yes, that is the truth in plain and simple words. A cyber security expert based in London, who also doubles as a GDPR compliance specialist, has something important to clarify on the given aspect. According to him, Brexit is not going to help or insulate businesses based in the UK from being penalised in case of non-compliance with the GDPR.
But before we discuss about GDPR and how it can affect your business, let’s get some details on its background. But one thing is sure, the GDPR has brought about drastic changes where IT support is concerned.
The latest GDPR version was introduced on May 25, 2018. Its earlier version, the Data Protection Directive was created in 1995 – in an age when social media and the Internet were yet to redefine the boundaries of the digital world.
The current GDPR deals with the privacy issues of the EU citizens across online and digital environments. Before it was implemented, a section of businesses was frequently reported of going beyond ethics and trading personal data to cut hefty profits. Thus, the GDPR was much needed to stop this corrupt and unscrupulous practice. It may be noted here that the GDPR makes both trading and selling email addresses and names illegal and there is also the option of heavily penalising people or businesses practicing this unethical means.
The penalty may amount to a maximum fine of €20 million, or 4 per cent of global annual turnover, whichever is greater. On the other hand, the minimal penalty may amount to €10 million or 2 per cent of global annual turnover, whichever is greater.
This proves how important it is to comply with the GDPR. Businesses of all shapes and sizes, irrespective of industrial domains, are doing their best to ensure their data security complies with the GDPR norms.
GDPR and the UK
The Information Commissioner’s Office (ICO) is responsible for enforcing the GDPR in the UK. Organisations that collect, store and use personal data need demonstrating they are using the data lawfully and in alliance with the 6 basic principles that are the foundation of the GDPR.
6 principles that form the GDPR foundation
- Collected data can be processed lawfully as well as transparently
- Data may be collected from anywhere and then processed for some particular reasons to save them for future reference.
- Only the data that is required for the intended purpose is collected.
- Make sure that the data is accurate.
- Store the data in a form that helps identification of individuals till the time it is necessary.
- Safeguard it from unauthorised and unlawful access, accidental loss or damage and store it in a secure location.
Consumer rights under the GDPR
The GDPR offers 8 rights to consumers as individuals. These include the following:
- The right to be informed: Businesses must inform individuals the following when collecting their data – which data are being collected, who the data will be shared with and how long will it be kept or stored.
- Access right: Individuals possess the right to contact an organisation whenever they want to demand information what of their data is with the organisation, whom has it been shared with and how long will the data be in the organisation’s possession.
- Rectification right: Individuals are given the right to verify the information an organisation holds about them and in case of any inaccuracy or discrepancy they can get the data corrected.
- The right to erasure: As a consumer, you’ve the right to get your data deleted in part or in full from the record of an organisation.
- The right to restrict data processing: As a consumer, you can also contact an organisation and prevent it from processing its records related to you.
- Data portability right: Organisations have to allow individuals to access and extract their data to avoid data monopolisation because of lack of portability.
- The right to object: You can ask an organisation to stop using your data in a way that is objectionable to you. For example, you can object being on the mailing list and prefer other channels of communication.
- Automated decision-making and profiling: Machine learning and artificial intelligence have lead to profiling of individuals by organisations based on accumulated data. Profiling of individuals is a fresh challenge to privacy. As an individual, you’ve the right to object to such uses of your data. You can also challenge any automated decision that has been drawn from it about you.
GDPR and small businesses
Before the GDPR was pressed into effect, businesses in the UK had to comply with the Data Protection Act of 1988. It was even more outdated than the Data Protection Directive, which the GDPR replaced. With Brexit coming into force, it seems pretty unlikely for small businesses in the UK to get any respite in the way they treat individual rights to privacy and data collection at present while maintaining GDPR compliance. Similar regulations like that of GDPR are to be introduced to ensure consumers’ rights, liberty and privacy are not compromised in any way.
However, it is important to note that corporate organisations with less than 250 employees do not need complying with the GDPR the same way as larger business houses or brands. But the right to erasure is equally applicable to businesses of all shapes and sizes.
As of now your business may not have to comply with the GDPR. But it is strongly recommended that it should act like it does. This futuristic approach will prove helpful the day the employee threshold goes above the 250 mark. It will also make things easier to handle in case the regulations are tightened in near future.
GDPR defining personal data
The GDPR regulations are applicable to the data that were collected even before the GDPR came into effect. The concept of personal data is now more well-defined and its components include the following:
- Personal home address and email ID
- Names and phone numbers of personal contacts
- Ethnic or racial origin
- Personal IP addresses
- An individual’s political orientation or affinity
- Faith or religious belief
- Trade union membership
- Criminal offences if any
The GDPR came to be effective in May 2018. Since then data protection and privacy have become stricter than ever. Small businesses are facing the maximum difficulty in this changed situation. Here are some useful tips for them to comply with the GDPR easily.
Tips for small businesses on GDPR compliance
- Hire a GDPR compliance specialist: There should be a GDPR compliance specialist in your IT or HR team. The more people in your organisation are familiar with the GDPR, the better it is for you. You may also have to hire a data protection officer, depending on the size and nature of your business.
- Re-organise and update cyber security measures: You should have an efficient cyber security team. Using the most updated software versions the team must monitor your network round-the-clock. Your cyber protocols should be efficient enough to send out alerts instantly in case of detecting a security breach.
- Audit your data: You must know where all the personal data are stored – whether in cloud, servers, emails, mobile devices or apps. Thoroughly inspect data at regular intervals. If any data ever seems missing, ask your IT people to find it with data recovery
In addition to the points mentioned above you’ve to make sure that your privacy notices and contracts are in complete compliance with the GDPR.
The tips and tricks mentioned above are provided by Totality Services – reputed for offering premium IT support at the cost of peanuts. If you think you can avoid the GDPR compliance because Brexit will nullify it, you should think again, suggest IT pros working at Totality Services.