Why Every Business Should Be GDPR Compliant
If you are doing business in the UK/European markets, you must have heard about GDPR by now. In less than 7 weeks from now, the GDPR will take effect and every business will have to comply with it.
The internet has transformed the way we communicate and handle tasks every day. We communicate, pay bills, share documents and make purchases of goods online by submitting our personal details. More and more data is being collected every day by the businesses and The Economist has called it (Data) a “most valuable resource”.
However, it is also vulnerable to theft and misuse; consumers end up getting spammed with emails and promotional offers every day that they haven’t necessarily signed up for. The recent alleged hacking of personal data from Facebook and Cambridge Analytica has increased public anxiety and pressure on governments and businesses to do more to protect the data held by business.
GDPR (General Data Protection Regulation) is the response from EU to address these problems and ensure the data of their citizens is safely secured and not misused.
What is GDPR?
GDPR is a new digital privacy regulation being introduced on the 25th May, 2018. It is a lengthy legislation which has 11 chapters and 99 articles.
The GDPR aims to give back to citizens and residents control of their personal data and to simplify and complement the regulation for international business by unifying the regulation within the EU.
The current legislation such as Data Protection Act 1998 is outdated and is not up to the task with safeguarding data of citizen’s protection. With GDPR legislation, the scope of personal data is much wider than DPA. It states anything related to a subject is “data”, such as name, photo, telephone number, email address and social media accounts etc. To make it easier any PII (personal identifiable information) is protected under GDPR.
Furthermore the personal data is not defined by role and there is no distinction between data of private and public life. The customer’s data held by B2B companies is classified as personal data because the point of contact is always a person. GDPR puts consumers in control and gives them authority to decide and have power over their data.
The 8 fundamental data rights, listed in the GDPR, gives its individuals:
Right to have information corrected – Individuals can have their data updated if it is inaccurate, incomplete or outdated.
Right to access – You must provide confirmation to the individuals for their data being processed. Individuals have the right to request access to their personal data. If requested, you must provide with electronic format of the personal data, free of cost.
Right to be forgotten – If individuals are no longer customers or are not using your services and have decided to withdraw their consent from a company to use their personal data, then they have the right to have their data permanently deleted.
The right to data portability – Allows individuals right to copy or transfer their data from one service provider to another in an easy way without any interruption.
Right to be informed – GDPR dictates that any data collected by individuals and companies must notify consumers before the data is gathered. Consumers have to opt and give their consent freely.
Right to restrict processing – Consumers/Individuals can request that data record to remain in place, but not be processed.
Right to be notified – If there is breach or hacking of servers which compromises data breach of individual personal data, GDPR gives individual right to be informed within 72 hours of first having become aware of the breach.
Right to object – Includes the right of individuals to object and stop the processing of their data used by companies for direct marketing. The processing must stop as soon as the request made by individual is received.
The impact of GDPR on Businesses
Businesses must be ready to comply by GDPR by 25 May 2018. The ICO (Information Commissioner’s Office) will have more power to come into premises to check to see how the data is being held and whether the business is operating in compliance with GDPR.
Failure to comply with GDPR could lead to fine of up to €20 million or 4% of businesses total turnover, whichever is greater.
The worrying factor is a lot of businesses are still not aware of the GDPR and have a misunderstanding that it only applies to ICT related businesses. This is not the case. A research conducted by Dell found 97% of businesses do not have full understanding of GDPR and how it will affect their business.
Do you or your employees lack general knowledge around GDPR and to its compliance?
Are you holding your clients data in different places?
Do you deliver clear opt-in permissions capture on the communications you send out to your clients?
Have you appointed a GPDR lead in your organisation?
How Cloud Stem can help?
Our team of experienced consultants, GDPR Practitioners and Data Protection Officers (DPO) can help you fully understand the impact of GDPR on your organisation. With our hand-held approach, we take you through this compliance journey step by step, working to agreed milestones so you are always in control of the scope of works.
We’ll help you identify current risks and areas of non-compliance in the business and then design a detailed plan & roadmap for remediating these gaps.
Our 4 stage approach consists of:
Review, assessment and recommendations – We work closely with you (Dept by Dept) to examine how and where you use the information you collect and audit how you store, protect and track this information.
Design (of processes, technology, procedures etc) – We help you to create the necessary processes, systems and procedures to comply with the GDPR rulings, keeping them simple to execute and maintain/evolve.
Implementation – Deliver the new initiatives across your business, followed by training your staff/stakeholders on data access, rectification, deletion and transfers rights.
Ongoing monitoring – This is to ensure any changes to company policies and procedures in the future adhere to GDPR.
We understand that every organisation is different so we tailor the solution for you to meet GDPR with comfortable changes to your established processes, fitting well with your business ethos and culture.
If you have any queries or would like to have a discussion, feel free to get in touch: