How do you know if GDPR applies to you?
Only half of UK businesses are even aware of GDPR, while a mere five percent are prepared for the upcoming deadline. Due to infamous data breaches of large organisations, including Uber, Pizza Hut and Deloitte, many companies presume the new data protection regulations only apply to organisations processing huge volumes of personal data. But this is simply not true.
In this short blog, we'll explain GDPR requirements in more detail and discuss four clear signs your business needs to get compliant fast.
1. You process EU citizen data
Due to GDPR being initiated to help protect European citizens, organisations operating outside of Europe may think they have dodged a bullet. However, any organisation processing or collecting the data of EU citizens are responsible for GDPR compliance, and are at risk to the hefty fines that come with the failure to do so.
There has been some confusion over whether GDPR affects the UK after the decision to leave the European Union. However, because the UK’s Brexit strategy is yet to be confirmed, the UK will be operating under the GDPR requirements, with the UK government indicating they will implement an equivalent in the future.
2. You control EU citizen data
While data controllers differ to data processors, both must abide by the GDPR.
But which one are you?
A data controller determines the purpose and conditions of processing personal data. Data processors, as the name suggests, are the entity which processes this data on behalf of the controller.
For example, a utility company like British Gas may share their customer data with a call centre that are providing BG’s customer service operations. In this example, British Gas is the data controller, while the call centre is the data processor.
While it is the controllers responsibility to ensure their processors are following the GDPR, processors must also abide by the rules to avoid penalties.
3. You have more than 250 employees
Companies who employee more than 250 people are expected to follow the GDPR regulations in full. This includes the obligation to keep detailed records of data processing and controlling.
While there have been rumours that GDPR does not apply to small and medium-sized (SMEs) enterprises, this unfortunatley is untrue. While it’s understood that SMEs pose a much smaller risk to data privacy than their larger competitors, SMEs are not exempt from the incoming regulations. What they are exempt from is the obligation to keep thorough internal data records, and instead will only need to do so if they are handling particularly sensitive data, such as criminal convictions or ethnic origins.
4. Your consent forms are ambiguous
One of the main aims of GDPR is to empower EU citizens to be confident in knowing who has access to their data, and to understand when they are giving organisations consent to use it. In fact, 61 percent of IT decision makers have said that citizen’s PII (Personal Identifiable Information) data being protected is GDPR’s key benefit to EU citizens.
To help achieve this, all company forms, with the purpose of data processing, will have to be written in clear plain language. Terms will no longer be allowed to be ambiguous, or feature legal terms users may struggle to understand. Instead, consent will be clear and distinct. Further to this, users must be able to withdraw their consent easily.
Don’t get caught out by GDPR compliance
Following infamous security breaches that let personal data fall into the wrong hands, the EU parliament has taken amicable steps to keep European citizen’s data safe, while forcing organisations to think differently about data privacy. Though many assume these regulations only apply to large companies, any business that provides a service or collects data on any EU citizen will be affected by GDPR and is encouraged to take action before it’s too late.
With our long-running expertise in compliance and security, we can help your company meet the GDPR on time. Why not book a meeting with one of our trained consultants for more advice?