GDPR Made Easy For Business Owners
If you’ve been on LinkedIn in the past year, then you’ve probably seen hundreds of posts about the upcoming GDPR legislation. With countless “experts” telling you how to become GDPR compliant, many people are still left scratching their head over what this actually means for businesses.
The truth is GDPR is very complex and complicated legislation, but it’s also very important. Enforced by the EU, if businesses don’t become GDPR compliant, then they can face massive fines in the millions regardless of their size.
To break it into simple to understand bite size chunks, we’ve got the perfect guide on GDPR for dummies. No matter how much, or how little you know about GDPR, this handy guide will teach you everything you need to know about the upcoming legislation.
Before we dive into whom GDPR affects and what data is protected, let’s get ourselves familiar with what GDPR is and why it’s so important.
What Is GDPR?
The General Data Protection Regulation, also known simply as GDPR, is a form of European legislation that is aimed at increasing the protection of citizen’s data in the European Union. It replaces the previous 1995 data protection directive which the current UK data protection law is based on.
Approved by the European Parliament in April 2016, businesses were given a two-year transition period to make sure they are GDPR compliant. The legislation comes into effect on 25th May 2018 and any business found not to be compliant could face large fines in the millions.
With the threat of large fines, it’s no wonder GDPR has been a heavily discussed topic recently. Although the GDPR deadline might be fast approaching, you certainly don’t want to leave it until the last minute. Many big companies such as Google already pushed out their GDPR changes in early March to ensure they are compliant. If you’re thinking about leaving it to the last minute, then think again. Even the slightest setback might end up pushing you over the deadline and then you’re truly in the danger zone.
Whom Does GDPR Affect?
The new GDPR legislation will affect all businesses that operate within the EU, no matter what country they are based in. If they have EU citizens as customers, then they need to be compliant or they can risk facing the wrath of the EU. At the extreme end of the spectrum they could even the risk of being banned from trading in European countries.
Even if a company doesn’t deal with EU citizens directly but holds personal data of any EU citizen, then they will still be subject to the legislation. This means that 99% of businesses in the EU will be affected by the new law regardless of their industry.
Speaking of personal data, what type of data will be protected under GDPR? Here’s a clue: any data that can help identify an individual.
What Data Will Be Protected?
Since the GDPR legislation is all about businesses protecting EU citizen’s personal data, it’s crucial you understand what counts as personal data in the first place. To keep it simple, any data that is collected about someone falls under the new protection law. Some of this data includes but is not limited to:
- Email addresses
- Social media posts
- Personal medical information
- IP addresses
- Bank details
In addition to this list, anything that is counted as personal data under the UK Data Protection Act also qualifies as personal data under GDPR legislation. Basically, if it’s information that can be used to identify someone, then there’s a good chance it will be on the list.
What About Brexit?
For businesses in the UK, the thought of preparing for new EU legislation can seem unnecessary especially when they are expected to leave the EU within the next year. However, since the UK won’t be leaving until 29th March 2019, they’ll still be subject to the new law from 25th May 2018. Not to mention that the UK government has also confirmed that they will be proceeding with implementing GDPR regardless of Brexit.
What Do Businesses Need To Do?
For any business operating or dealing in the EU, this new GDPR legislation introduces a lot of changes that they must implement. From having strict data protection protocols in place to reporting breaches to customers, businesses will have to actively monitor and protect user’s data continually.
One of the new GDPR changes gives anyone who has their data stored with a business the “right to be forgotten”. This means that anyone can have their personal data deleted at any time by contacting the business that holds it. The business must then delete all copies and backups of the personal data as requested by the user. If a business doesn’t delete the data or continues to use it for marketing purposes, then they’ll be breaching the law and end up in trouble.
Another rule under the legislation is that businesses must report all possible data breaches to customers within 72 hours of becoming aware of the breach. In the past, many businesses have hidden data breaches from their customers until it somehow got out. This new change means companies must declare if they’ve had a data breach within 72 hours or again, face a significant fine.
These are just some of the new ways in which businesses will have to deal with customers personal data from 25th May 2018. If you need more information on the upcoming GDPR law and how it will affect your business, then contact Purplebox Digital for a GDPR compliance site review.