The General Data Protection Regulation (GDPR)has been enforced since May 25, 2018, and you might need to update your data handling procedures. While its name might scare some, it’s actually a positive step taken by EU towards the data protection of its individuals. GDPR is mainly constituted of two things,
- Giving more control of personal data to the citizens and residents of EU.
- Simplifying regulations for international businesses with a unifying regulation that stands across the European Union (EU).
A general misunderstanding among small business owners is that GDPR only applies to large, global companies that conduct business overseas, not for companies with fewer than 250 employees. GDPR applies to every company handling the consumer data of citizens within the European Union (EU), irrespective of its size, industry or origin.
What rights do an individual have?
According to GDPR, an individual has given the following rights over his data.
- At any point, an individual might request access to his personal data for free and holds the right to know how that data is going to be used.
- Individual’s personal data must be deleted or removed after it has served its purpose.
- If the Individual wills, he can request to transfer or move his personal data between service providers easily and safely.
- Individual must be informed about how you intend to use his personal data when it is being gathered and they must freely give their consent to it. Their consent cannot be assumed or taken for granted. There are particular rules around what information you should supply and at what stage you need to supply the information to your customers.
- An individual is entitled to have personal data rectified if it inaccurate or incomplete. If you have disclosed the data in question to third parties, you must inform them of the rectification.
- Companies should ensure that their customers are aware of the third parties to whom they have disclosed the data.
- People have the right to object to the company’s use of their data. The objection must be on “grounds relating to his or her particular situation”.
- The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Companies should identify whether any of their processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
- The company is obliged to report certain types of data breach to the relevant supervisory authority. If a breach is likely to result in a high risk of crimes such as identity theft, you will also have to notify those affected directly.
Preparing you for GDPR
Here’s what you need to take care of to be GDPR compliant.
You must know your data and the ways you collect it, what you intend to do with it and is it relevant anymore? if no, discard it immediately.
Request of a citizen to delete, amend or transfer data must be honored and served within one month.
Establish a lawful basis for processing data. To use client data, there must be a positive opt-in from the client under GDPR. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity. It must also be separate from other terms and conditions. Businesses will also be required to produce evidence of this consent if requested.
Prepare for data breaches. You are obliged to report certain types of data breach to the relevant supervisory authority within 72 hours. If a breach is likely to result in a high risk of crimes such as identity theft, you will also have to notify those affected directly.
Appoint a data protection officer if you are dealing with data on a large scale. Although it’s not mandatory to hire a DPO, It’s a good practice to have one. The data protection officer’s job is to inform and advise the organization about meeting GDPR requirements, and monitoring compliance.
What are the GDPR penalties?
Below are the penalties of existing under the DPA and GDPR has toughened up penalties even more. These existing penalties include:
- Maximum fines of £500,000
- Prosecutions, including prison sentences for deliberate breaches
- Obligatory undertakings, where your company has to commit to specific action to improve compliance
Now with the introduction of GDPR, penalties have been revised
Businesses in breach are liable to a dramatic increase in fines, with penalties reaching an upper limit of €20 million or four percent of annual global turnover, whichever is higher.
Keep in mind the possibility that individuals can also sue you if they suffer as a result of your data management. This could be for material damage or non-material suffering, such as distress.