Blog

General Data Protection Regulation (GDPR) – What it means for you and your business

May 25, 2018. Mark your calendars.  If your company is not in compliance, heavy fines may ensue!

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to normalise multiple data privacy laws across the EU. Further normalising and shaping the way organisations across the region approach and manage data privacy. Ireland, being part of the EU is subject to this requirement.

The GDPR was approved (and adopted) by EU Parliament in April 2016. After a two-year transition period, the standard is ready to be part of business practice. That means you! However, unlike a Directive it does not require any associated legislation to be passed by governments; and so, it will be in play by May 2018.

Protecting all data is no small initiative for any country, let alone an organization such as the EU to bring to fruition.  There will be hurdles and there will be issues while companies become officially compliant.

Why do I need to be compliant?
Well, because the government said so. With the recent, and well-documented data breaches into customer information, there is now a greater concern over the protection of personal and corporate data. Foreign hacking concerns and hacking-for-profit require a more prudent and standardized method of data protection.

Any information related to a real person that can be used to directly or indirectly identify the person must be protected. This includes a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address.

If your company handles or processes data about individuals in order to sell goods or services to citizens in other EU countries, then you will need to comply with the GDPR.

Small companies need to comply.

But I am just a small company!’ you say. How costly will this compliance be? The GDPR will apply to any business that processes the personal data of EU citizens, (including those with fewer than 250 employees, contrary to common misunderstanding).

Preparing for these requirements do not need to be costly, but it will consume internal resources. A few tips to help prepare smaller businesses for the deadline:

  • Know your data, and your customers. Review what kinds of data you manage and compare them to what is to be covered as part of the GDPR compliance demand.
  • Understand what ‘consent’ means and how you will apply it to your customer interactions and marketing strategies.
  • Have you run penetration tests on your data infrastructure?
  • Set realistic goals for ensuring your data meets the requirements of GDPR – do a monthly assessment as a team.
  • Train your employees and document the procedure to report any and all breaches within the required 72 hours.
  • Be open with your customers and assure them you are working on your compliance – have an open and candid discussion about any concerns they may have.

Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/).

Is compliance with your goal?

If not, it should be. Organisations can be fined up to 4% of their annual global revenue for breaching the GDPR standards (up to €20 Million) – the maximum fine that can be imposed for the most serious infringements (e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts).

However, it is important to note there is a tiered approach to potential fines:

  • A company can be fined 2% for not having their records in order (article 28)
  • Not notifying the supervising authority and data subject to a breach or not conducting an impact assessment.

These rules apply to both controllers of data and processors or brokers of data – that means ‘cloud storage’ will not be exempt from GDPR enforcement.

The knowledgeable team at Herbst Software can assist you and your company to meet the May 2018 deadline and ensure you are not only compliant but that you can assure your clients their data is secure and safe in your hands.

Request For Info