In just less than 6 months, the European General Data Protection Regulation (GDPR) comes into full force. On May 25, 2018, GDPR all companies who collect and store personal information on European Union (EU) citizens must be compliant.
A common misconception is that this only applies to companies located in the EU. Another misconception is that this only applies to large corporations. GDPR affects companies of all sizes who process data on an EU resident regardless if there is physical location in the EU. GDPR also affects data held on employees, customers, and vendors. There are also no minimum thresholds for revenues or number of employees to be applicable.
In the EU, privacy is a fundamental right and GDPR sets a new high bar for how EU customers will expect their data to be treated by any company they interact with. GDPR will have a big impact on the Small and Medium Business (SMBs).
Data Controllers & Processors
One of the first concepts an SMB needs to understand is to determine if and when it is a data controller or data processor. The data controller defines how and why personal data is processed and determines the purposes for which the personal data is processed. Every company to some extent is a data controller as at a minimum it is responsible for its employee data or those of its clients.
The data controller is responsible for ensuring that the data processors are GDPR compliant.
Data processors are either internal groups or outsourced vendors that process personal data on behalf of the data controller. For example, if employee benefits are processed by a third party, then the benefits company is a data processor to your company. If you are a marketing agency you are a data processor to your clients.
Non-compliance with GDPR can be costly. Companies could face regulatory fines as high as four percent of their global annual turnover or €20 million, whichever is higher. GDPR is setting a new baseline for privacy and security and EU customers will expect companies to comply.
Customers are going to be looking for GDPR companies to work with. By not being GDPR compliant, SMBs could lose potential or current customers.
Most companies think of personal data in the context of name, email, and physical address, phone number, or identification numbers. However, GDPR expands the definition of Personal Data with special categories such as health and genetic and biometric data. These special categories of data are deemed to be “particularly sensitive in relation to fundamental rights and freedoms” and as a result warrant special protection.
GDPR personal data elements include (but are not limited to) the following:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and device identifiers
- Genetic data (e.g. an individual’s gene sequence)
- Biometric data (fingerprints, facial recognition, retinal scans etc)
- Racial or ethnic origin
- Political opinions
- Sexual orientation
- Religious beliefs
Start planning now!
Companies need ample time to prepare. SMBs should start with determining if it is a data controller or processor and understand what data it collects, where it is stored, how it is used, and what privacy notice is provided to the data subjects (remember this can be an employee, customer or vendor).
Companies not in compliance by May 25, 2018, risk hefty fines, scrutiny by local supervisory authorities, and negative PR. There is also the potential loss of customers as companies need to ensure they work with GDPR compliant vendors.
GDPR readiness will need to be a part of the business operations. All contracts with third parties should be reviewed to ensure appropriate GDPR clauses, data inventories should be performed, and privacy notices and policies updated. For all future data collection plans, GDPR compliance should be considered.
Larger companies will need to work with GDPR compliance organizations. It will be a competitive advantage for SMBs to become GDPR compliant and fluent in its requirements. Additionally, customers will begin to have an expectation of only sharing their information with GDPR compliant companies.
Stay tuned for Part Two of this GDPR series, which will discuss in-depth elements such as consent and online data technologies, privacy notices and cross-border transfers.