As a CEO, your day is spent trying to figure out what is important for your business, and what isn’t. Irrelevant information is the biggest threat to your time, yet every so often there comes a topic worth talking about. As we approach the new year, that topic is the General Data Protection Regulation (GDPR).
Coming into force on the 25th May 2018, the GDPR will completely change how businesses handle data. Businesses need to comply to the regulation by this date or face heavy fines. Is your business ready for the regulation? If not, don’t worry, here’s our CEO guide to the GDPR.
Who does the GDPR apply to?
The GDPR applies to data ‘controllers’ and ‘processors’. The regulation defines these roles as follows:
- Data controller, says how and why personal data is processed
- Data processor, acts on the controller’s behalf
This means that the GDPR applies to any business that offers goods and services to people within the European Union. It also applies to any organisation which collects and analyses data relating to EU residents. Regardless of Brexit, if your business processes data, the regulation applies to you.
What information does the GDPR cover?
The regulation applies to ‘personal data’. This definition includes information like IP addresses and any other online identifier. It also applies to automated personal data and manual filing systems where personal data is accessible according to specific criteria.
There are also special categories of personal data that businesses are forbidden from processing. This includes data revealing information like a data subjects race, political opinion and religious beliefs. Businesses can process this data only with the express consent of the data subject, or in very specific circumstances, for example, if it is in the public interest. You can see the full list, plus exceptions here.
For most businesses, this expanded definition shouldn’t make much difference. If your information fell within the scope of the Data Protection Act, it will likely be within the scope of the GDPR.
What are the penalties of non-compliance?
Your business can be fined up to four percent of annual global turnover or €20 million, whichever is greater. This is the maximum penalty. There is a tiered approach to fines, for example, failure to notify your supervisory authority and data subjects about a breach within 72 hours will result in a two percent penalty of your turnover.
What should my business do to prepare for the GDPR?
There are a few things you can do today to prepare your business for the GDPR.
- Document what personal data you currently hold. Find out its origin and who has access to it. You may need to conduct an information audit.
- Review current privacy policies. Put a plan in place for making any necessary changes before the regulation comes into force.
- Identify the lawful basis for your processing activity. You need to be able to explain why you are holding personal data under the GDPR. Document the reasons for all the information you hold and update your privacy notice to explain it.
- Ensure you have a plan for data breaches. You should be ready to detect, report and investigate any data breach your company faces.