GDPR begins 25 May 2018.
If, after reading that sentence, you find yourself wondering, “Hmm, what’s GDPR? Does GDPR affect me? Wait, what does GDPR even stand for?”, this guide is for you.
Here’s the lowdown, in under 3 minutes.
What does GDPR stand for?
General Data Protection Regulation.
Ok, what is GDPR?
New rules for data handling in the EU, including the UK. The GDPR replaces the EXTREMELY outdated Data Protection Act released in 1998 - yep, pre-social media.
Who does it affect?
Any company with personal data about customers who live in the European Union, including the UK. And by data I mean a person’s name, email, phone, address - stuff that identifies them.
So it affects US companies if they have UK clients, for example?
And what about Zanzibar companies with German clients?
Uh, well yes, it affects them as well.
Wow, ok. What are the changes?
Here are six highlights:
Availability - You need to treat your customer data like you would any of your business assets; you must keep it up-to-date, secure, and available for review if someone requests it.
Right to be forgotten - Customers can, under certain circumstances , have their data removed (also called data erasure) from a company database.
Data portability - Customers can ask for their personal data information to be supplied to them. And they can send that data to other companies if they choose to. As you might guess from these first three hghlights, it’s critical to have your customer data clearly, cleanly and corrected structured.
Consent - The GDPR guidelines state that “the request for consent must be given in an intelligible and easily accessible form”. (Using the term OPT IN is a safe bet). It must be clear WHY the user is being asked for their personal data and WHAT it will be used for. It must also be as easy to have the consent WITHDRAWN as it is to be GIVEN.
Encryption - you need to encrypt or pseudonymise ” (their term, not mine) your customer data. So you should implement tech like SSL and industry-standard encryption tools.
Responsibility - There are massive fines for breaches of the GDPR legislation - up to 4% of a company’s global annual turnover. Ouch. To help avoid that sticky situation, you’ll be required to appoint a Data Protection Officer (DPO) if you are part of a large company (no one’s sure how large, though).
The DPO will oversee all GDPR requirements and be the point of contact with regulators.
Who benefits from the GDPR?
Everyone, pretty much. It gives consumers confidence that their personal details are under lock and key. It also allows them to ask for their data to be removed from a company database.
For workplaces, it formalizes data processes, giving the opportunity to embed an all-hands security mentality. And that’s a good thing.
Great! So, to be clear, does it affect companies in Djibouti with Italian clients?
And Transnistria? What about Transnistrian companies with French clients?