GDPR - The Facts The reality behind the hype of GDPR
There’s been a lot of noise about the forthcoming General Data Protection Regulation though not all of it accurate. John Paterson looks to weed out the fact from the fiction and offers practical tips for business owners....
T
he General Data Protection Regulation (GDPR) is due to come in to force on 25th May 2018. It’s designed to protect the privacy of EC citizens, ensure their personal data is not exported outside the EU and give them control of how the data is used. Although the right to privacy from government surveillance has been included previously in legislation over the years, the advent of the Internet has meant large corporations are also able to conduct, what is in effect, mass surveillance. In the US, there is almost no privacy legislation, it being left to the god of free markets, and outside the EC only a few countries take privacy seriously. GDPR effectively exports the European notion of the right to privacy to any business that collects personal data on EC citizens, backed up by stiff penalties for noncompliance. Paterson comments “Modern technology has moved on leaps and bounds since the last update to the data protection regulations, and GDPR is the EU’s way of catching up with how companies are currently collecting and storing people’s data.” What GDPR entails for business Getting Consent 90 / Issue 12
From 25th May 2018 no organisation, regardless of which country they are based in, will be able to send marketing emails or SMS messages to EC citizens unless they have provided explicit consent to be contacted by that organisation. This means no more pre-ticked acceptance boxes; it has to be an unticked checkbox informing what will happen if you do tick it. Alternatively, you’ll need a double opt-in via a confirmation email where the person clicks a link to consent. You’ll also need to be able to record how and when consent was given to provide proof should the regulatory body (in the UK this the Information Commissioner’s Office) receive a complaint.
@ReallySimpleSys
John Paterson is the founder and CEO at Really Simple Systems, CRM vendor and Xero partner. John’s expertise and interest in data security has lead him to research the new EU legislation, GDPR, and challenge some of the myths.
sending a warning letter. The penalties are there for companies that flagrantly and repeatedly abuse GDPR. Right to Erasure Individuals can request that the data you hold on them is erased. There are some exemptions to this but in practice for most businesses you will have to comply. You must comply without delay, and certainly within one month. Data Portability Individuals can request a copy of the data you hold on them. This applies to data they have given you and would also include stored emails from them, and their purchasing and payment history.
Data Breaches Under the regulation you have just 72 hours to report any data breaches to the supervising authority. You should then inform the data subjects of the breach “without undue delay”, the timing dependent upon the likely risk of damage to that individual.
Data Protection If you hold personal data then you have a duty of care over the safeguarding of that data. This includes restricting access to only those who need access to do their jobs, making sure that the data is held securely. You also need to demonstrate compliance with GDPR.
Fines & Sanctions The maximum fine for a breach has been stated as 20 million Euros or up to 4% of global revenues, whichever is higher. In practice, the regulatory body is not likely to do anything if just one person complains, other than maybe
You may only transfer personal data to countries within the EC, or those where the Commission has determined that the country has adequate levels of data protection. That list currently comprises Andorra, Argentina, Canada, Switzerland, Faroe Islands,
XU Magazine - the independent magazine for Xero users, by Xero users. Find us online at: xumagazine.com
