It’s a significant undertaking, with a looming deadline (May 25, 2018) and significant fines for non-compliance. There’s a lot to get ready.
But, the truth is that GDPR is a good thing and -- as Elizabeth Denham, the UK’s Information Commissioner, points out -- its implementation, even for smaller businesses, should be neither scary nor onerous.
What is GDPR and why do we need it?
GDPR -- the General Data Protection Regulation -- is a new law across the European Economic Area (EEA) and that replaces the Data Protection Act 1998. It is intended to strengthen controls that individuals have over their data and their right to privacy, and it thereby requires greater controls by companies who control and process personal data.
Think back 20 years. There was no iPhone (2007) and no Facebook (2004). The way that personal data was used, and the volume of data shared, when the 1998 act came into force was very different from today. GDPR aims to bring data protection rules more in line with modern day practices.
It applies to “personal data,” which means “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
Why is GDPR good for your business?
Research shows that individuals are concerned about the use (and possible misuse) of their personal data: two-thirds are concerned about not having complete control over the information they provide online; 31% think they have no control over it at all.
As Denham wrote in an August 2017 blog post, the new rules are about “greater transparency, enhanced rights for citizens, and increased accountability.”
For businesses complying with GDPR, a principle-based approach to managing their privacy program will enable them to consistently apply privacy requirements in processes and products, ultimately enabling an enhanced trust relationship with customers.
And, of course, trust is the foundation of valuable, ongoing customer relationships.
Is my business exempt from GDPR?
One of the first steps in preparing for GDPR is to understand what personal data your business holds and what you use it for, keeping in mind that your employee data, not just customer data, is also covered by the regulation.
Smaller businesses (with less than 250 employees) have some exceptions but are not exempt. That said, the Information Commissioner’s Office (ICO) has produced a wealth of useful information, guides, self-assessment tools and a help-line specifically for smaller organizations (see below).
Also, remember that GDPR applies to any organization processing the personal data of any EU citizen. Even online retailers in America or China are affected if they deal with EU customers.
What can I do?
Don’t panic. But, don’t stick your head in the sand either. A lot of GDPR is simply best practice and compliance with existing regulations, which gives you a great starting point. However, the new rules will probably mean you need some new processes and policies.
Start here, with the ICO’s Frequently Asked Questions for small organizations.
Next, read through the ICO’s handy 12-step guide, Preparing for the General Data Protection Regulation.
Now that you have the background, use these handy self-assessment tools to understand how ready you already are.
It is also really useful to read through the online Guide to GDPR.
Finally, if all else fails, the ICO has set up an advice service for small organizations.
There are penalties for non-compliance, but fines are a last resort. “This law is not about fines,” Dunham wrote. “It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
GDPR is about doing the right thing for your customers and with their data. It may be unavoidable, but it’s also a good thing for your business. If you haven’t already started, begin today and help your customers (and staff and suppliers) see that you respect them and their information.
The ICO provides general advice, but it also recommends contacting the professional or trade body for your specific industry. Many of these are running events and webinars between now and May to help members understand how GDPR affects their operations.
This excellent video from the Federation of Small Businesses gives a useful overview of GDPR. It’s the first in a series of three.
The ICO’s series of myth-busting blog posts, written by Denham and Deputy Commissioner Steve Wood, are a useful way to see beyond the hysterical headlines and understand the ICO’s intent.
The International Association of Privacy Professionals is policy neutral and the world’s largest information privacy organization.
We are actively working to ensure compliance with the regulation. Stay tuned for more details.
A version of this post was originally published on PayPal Stories UK.