When the new European Data Protection Regulations (GDPR) comes into force in the very near future, it won’t matter whether you are part of a multi-national global company or a sole trader, your business will be affected. In fact, virtually every European organisation from banks and educational institutions to eCommerce sites and direct mailing businesses will fall under the scope of the new legislation.
The bottom line is that if your business or organisation holds any kind of personal data such as names and addresses, it will be accountable to the new legislation. With this in mind, we have created a series of 5 jargon-free and informative articles that aim to clarify some of the major issues that the new rules will raise.
In the first of these articles we will outline who the rules are likely to affect, the type of data that falls within its remit, and consequences and options available in the event of a “none compliance” situation.
While the new GDPR actually came into force as far back as the 24th May 2016, the new legislation will apply to all EU member states as law on the 25th May 2018. After that date, any business that is found to be “none compliant” could face fines of up to 20 million Euros or 4% of their annual turnover (whichever is greater).
If you are still scratching your head and wondering whether or not the new GDPR rules are likely to affect the business you own or manage, there is only one question you need to answer. That is; “Does your business or organisation hold or record personal information?” Unless you are able to respond with a resounding no, your business activities are going to fall within the scope of new rules.
Simple logic dictates that any business involved in supplying real physical products will need to hold a name and delivery address of the customer. While that sector of eCommerce is virtually cut and dried where the new regulations are concerned, those who supply free digital goods such as media downloads and eBooks may only have an IP address, name and email.
The fact remains, however, that even in these instances, data is still being collected and used which means such businesses do come under the remit of the new rules. From names and email addresses to IP’s and website login details, they all constitute a form of personal data within the new EU General Data Protection Regulations.
It doesn’t matter whether you run a “one man” bicycle repair business out of your garden shed or manage a global corporation, if you only make a physical note of a name and address, you are still deemed to be collecting personal data.
There is a real danger that many small “mom and pop” businesses may be tempted to bury their heads in the sand and hope that those policing the new rules will choose to look the other way.
The hard truth is, however, that under the new laws any individual is at liberty to make a complaint concerning an alleged breach of the new rules. That means you could unwittingly find yourself under investigation for none compliance with the possibility of facing what for many small businesses could be a ruinous financial penalty.
So, in effect, the new rules will affect any type of business whether they are operating online or from real industrial or high-street premises. It is these types of businesses that need to carry out a thorough review of how they collect, hold, and utilise such data to ensure that they comply with the new regulations ahead of time.
Obviously, businesses such as banks, credit checking agencies, and others who operate solely through processing large amounts of personal data will receive a larger volume of enquiries from clients. Because a large portion of the new regulations concerns how data subjects (those whose data is held) are to be allowed access to such data, these types of businesses will be singled out for closer scrutiny.
One of the more specific remits for lager data collectors is that they will need to appoint so-called “data protection officers” who will undertake a range of specific responsibilities. These will include putting in place and maintaining processes to ensure that data requests from the data subjects are dealt with in the correct way.
Along with showing that any such request have been dealt with in a timely manner (usually 48 hours), these data collection officers will also be responsible for displaying a traceable audit trail. Other responsibilities will include risk assessments and procedures for dealing with data confidentiality breaches. Bearing some of the above in mind, it should come as no surprise, that for many larger data handling businesses, both the cost of implementation and failure to comply may be a costly affair.
Put in its broadest terms, any data that appertains to a person could be considered to fall within the scope of the new GDPR. That said, it may be helpful to categorise some of the main types of data collection while also taking a brief look at how the operation of collection systems will be affected under the new rules.
CRM (Customer Relation Management) systems are one of the fastest evolving data management platforms available to small and medium-sized businesses. A big part of their attraction is that they offer a scalable customer database solution that can grow with a business. They operate to manage both business relationships and the client data associated with those relationships.
By their very nature, CRM’s store and collate chosen specifics relating to data and apply it as the software dictates.
One of the aspects that may make such programs a major target under the remit of the new laws is the increased use of “cloud-based” storage of the data they handle. Any business that is using an existing CRM or considering implementing one would be wise to ensure that it addresses the issues concerning data storage and access under the new laws.
If your business uses email or even conventional mail marketing, it is going to fall fairly and squarely within the scope of the new data protection rules. Astute online marketers will already be compliant with the stiff global regulations concerning opt-in permissions and the need to advise their clients concerning what happens to their personal data.
The new regulations, however, demand much tighter definitions along with a crystal clear record of each individual’s consent for your business to acquire and hold their details. This, along with a system that protects the data and makes details of its use available to them, will now need to be built into any opt-in emailing campaigns that such businesses use.
Whether your business uses a third-party mailing client or something in-house, it would be strongly advised to check that it fulfils the remit of the new data protection rules.
Just because your business doesn’t manage a huge database of personal data doesn’t mean it falls outside the new European Data Protection Regulations. Even if you only have a handful of regular clients right now, your business may expand. It surely makes better sense to have a scalable data collection system that operates within the new rules in place now than having to totally overhaul how you handle personal data in the future.
Just by entering client details such as a name and email address onto an Excel spreadsheet or into a basic database, your business is collecting and storing personal data. Every business and organisation needs to consider the security of the data that they hold because under the new rules they are the ones who will be ultimately held responsible for it. It is also feasible to suggest that as the holders of the larger databases comply in “locking down” their data, smaller companies and organisations are more likely to be targeted by data criminals.
As we have already mentioned, the costs of none conformity with the new European rules could be devastating to smaller businesses. This suggests that not only have the European lawmakers done their math, they are also intent on sending out a clear message concerning how important the issue of personal data protection actually is.
Even owners of the smallest businesses across Europe will be waking up to the fact that the investment into complying will far outweigh the cost of any penalties they may incur without it. While it remains to be seen whether the full penalties facilitated under the rules will be applied to any miscreants, there is no doubt that Europe intends to continue taking a very serious stance on the issue of personal data protection.
The official website of the EU General Data Protection Regulations at https://ec.europa.eu/info/law/law-topic/data-protection_en provides further in-depth information and resources concerning the new legislation. From details of the process itself to an overview of the actual regulation, you will find more about it there.
We trust that you have found some of the above useful and informative because we appreciate that the new rules are bringing in some of the biggest changes in over 20 years. There is no doubt that the fast moving and rapidly evolving digital age that we are living in will continue to affect how our businesses acquire, hold, and use personal data.
In the next article, we will look at how the e-commerce business type is likely to be affected by the new rules and consider some key ways in which such businesses will be able to meet the challenges they are certain to encounter in fulfilling their obligations.