In recent months, increased attention in the media has been devoted to the GDPR. However, confusion remains pervasive among micro, small, and medium-sized enterprises (MSMEs), organisations of fewer than 250 employees, who are uncertain of what it will mean for them and how they should prepare.
If your business is part of this group, this blog post provides information and guidance that will help you ensure compliance by the May 25th, 2018 deadline.
What is GDPR and When Will it be Introduced?
GDPR is an acronym for General Data Protection Regulation. It is a new law that applies to the collection, storage, or any usage of personal data, referred to as processing, of anybody in European Union (EU). This regulation will supersede the existing data protection framework in each of the 28 European states when it becomes effective from May 25th, 2018.
Its purpose is to introduce consistency and harmonise laws relating to data protection between member states and offer individuals greater control over how their personal data is handled. However, it is stricter than the legislation that is in place currently and introduces tougher fines. Indeed, there are two tiers of fines. For violations of GDPR’s code of practice, these can be up to €10m or 2% of global annual turnover, whichever is larger. Fines for breaches can be up to €20m or 4% of global annual turnover, whichever is larger.
This means that organisations run a serious risk of insolvency or of going out of business through non-compliance. Critically, the GDPR also allows individuals to sue organisations for material or non-material damages resulting from data breaches.
From fines to compensation claims, there are numerous reasons to become GDPR compliant.
Applies to All Organisations
As smaller organisations process a significantly smaller quantity of data than their larger counterparts and pose less of a risk for violations, some are of the view that the GDPR does not apply to them. This is incorrect. The new measures apply to all organisations, regardless of their size, though there are some differences. But while multinational corporations may be able to absorb any penalty in their next financial quarter, the risks are higher for MSMEs who may not be able to pay costly fines.
What Data Does it Affect?
The GDPR applies only to personal data, or those which can be used to identify an individual, referred to in the regulation as a data subject, and includes names, email addresses, PPS numbers, IP addresses, cookies, and browsing data. These data may belong to anybody, including customers, suppliers, or employees.
Data subjects have eight additional rights under the GDPR. These are (1) the right to be informed about what data will be collected, why, by whom, for what purpose, where it will be stored, and for how long; (2) the right to access personal data that is held about them, obtain details of its processing and the purpose of this processing, learn who it is shared with, and how it was acquired; (3) the right to rectify any outdated, inaccurate, or wrong data; (4) right to have data erased when it is no longer necessary for the purposes for which it was originally collected; (5) the right to restrict or object to processing if there are no grounds for it; (6) the right to port data, or receive an electronic copy of it for usage by another entity; (7) the right to object to data processing or to stop processing; (8) and the right not to be subject to automated decision-making, including profiling.
Some of the other obligations under GDPR include:
That a Data Protection Officer must be appointed by organisations with 250 staff or more or MSMEs processing special categories of personal data, engaging in processing that is likely to result in a risk to the rights or freedoms of data subjects, or processing that is not occasional.
Organisations that process data and who employ 250 employees or more are required to retain a record of all data processing activities and produce this upon request from supervisory authorities. This obligation applies to MSMEs only when there is a risk to the rights and freedoms of data subjects, processing is on a large-scale or is not occasional, or includes special categories of personal data such as those relating to health, criminal convictions, or offences.
Privacy notices should be appropriate and fully inform data subjects in language that is clear and easy to understand.
Data breaches must be reported to data protection authorities within a maximum of 72 hours and, in some cases, to data subjects.
How GDPR Compliance Differs for Smaller and Larger Organisations
The only exemptions that the GDPR provides MSMEs, where data processing is not their core activity, are regarding the appointment of a Data Protection Officer; with the retention of internal records of data processing activities; and that they are not obliged to report minor breaches to data subjects, where their rights are not jeopardised.
Good for Smaller Businesses
However, while these organisations may experience challenges and problems obtaining GDPR compliance, there are advantages for them too.
They can save money by ensuring that processed data are accurate and relevant and by avoiding potentially substantial fines. By confirming their compliance, MSMEs will signal to their customers that they fairly collect, manage, and protect their data. This will improve their image and reputation, allowing them to earn trust and confidence, and is likely to boost business. It will also increase their likelihood of becoming a supplier or partner for other organisations who are seeking to avoid the fines and claims that may arise as a result of failures to adhere to the GDPR and can provide a competitive advantage over rivals in the case of tendering.
It is good for competition too. The new right of data portability facilitates easy movement between service providers of any size. The GDPR will eliminate the legal maze that exists at present, introducing one comprehensive set of rules for all organisations processing the data of individuals within the EU. As a result, smaller organisations can export their products or services to anywhere in the EU with reduced bureaucracy, lower costs, and greater ease. Favourably, complying with these rules will be significantly easier for MSMEs, as due to their size, it is likely that they hold less data than larger organisations and will have far less to do.
Preparing for GDPR
But while they have less to do, it is critical that MSMEs take action to prepare for compliance now. Indeed, while the majority of larger organisations are ready for May 25th, it appears that many smaller organisations are not.
To assist these organisations with compliance, RIKON suggest consideration is given to the 12 activity groups listed below.
Familiarise yourself with the GDPR, what constitutes compliance, and its implications for your business. Determine whether your organisation is a data controller (the entity that specifies the purpose, conditions, or means of processing data) or a data processor (the entity that processes data on behalf of the controller). Utilise key information sources such as the Office of the Data Protection Commissioner.
- Establish a Lawful Basis for the Processing of Data
This can be (1) consent or that it is necessary for (2) the performance of a contract; (3) compliance with a legal obligation to which the data controller is subject; (4) to protect the vital interests of a data subject or another person; (5) the performance of a task that is carried out in the public interest or in the exercise of official authority vested in the data controller; or (6) for the purposes of legitimate interests, where these interests are not overridden by the interests, rights, or freedoms of the data subject.
- Data Audit
Make an inventory, identifying all data held and what type of data they are; how they were obtained; where they are held, incorporating all existing databases and those of third parties; how they are stored and whether this is safe and secure, making changes if required; what the specified and explicit purpose of their processing is, confirming that they have been processed only for this purpose; whether they are complete and accurate, amending where there are errors or omissions; whether they have been retained for longer than is necessary; whether they are backed up and with what frequency; with whom they are shared and to whom they are transferred; whether evidence can be provided that data subjects have opted-in to marketing programmes, removing any data subjects for whom this cannot be located; and whether data fall into any special category, such as sensitive data, where additional precautions are required.
- Review, Document, and Upgrade Data Management Processes and Workflows
Perform a gap analysis and risk assessment to identify if there are any issues with processes or procedures for dealing with requests that relate to the rights of data subjects within the permitted timeframe of one month, amending or creating policies, where necessary. Consider privacy when designing new products or services, for instance, by minimising the amount of data collected. Examine where pseudonymisation (replacing items that allow data subjects to be identified with pseudonyms that do not allow them to be identified directly) or encryption can be used to better protect data. Ensure that processes used to transfer data among employees are secure. Create detailed records documenting the technological and organisational measures that are in place to comply with the GDPR. If the systematic and extensive evaluation of personal data relating to natural persons based on automated processing; large-scale processing of special categories of personal data, such as those relating to convictions or offences; or the large-scale systematic monitoring of a publicly accessible area is undertaken, a data protection impact assessment must be completed.
- Breach Response Planning
Develop policies and procedures to swiftly detect and investigate breaches of personal data and complete the mandatory reporting of breaches to the Data Protection Commissioner within the stipulated 72 hours.
- Assign Responsibility for GDPR Compliance to a Single Employee
This dedicated role does not have to be full-time. It is demonstrative of a commitment to comply with the GDPR and allows all matters relating the regulation to be dealt with effectively by a single expert employee.
- Employee Training
Ensure that employees understand how data are to be processed in a manner consistent with the requirements of the GDPR; are aware of their responsibilities; are clear with regard to what constitutes a breach and to whom breaches should be reported; and are provided with updates and refreshers, when required.
- Data Protection Officer
Determine whether a Data Protection Officer is required. This role is not compulsory for all organisations, but applies to those with in excess of 250 employees; public authorities; those involved in the regular, large-scale, systematic monitoring of data subjects, of sensitive personal data, or of special categories of data e.g. those relating to criminal convictions or offences.
- Review and Update Processing and Data Privacy Notices
Review how is consent sought, obtained, and recorded. Consent should be freely given, specific, informed, with a clear affirmation that the individual agrees to the processing, meaning that positive opt-ins or pre-ticked boxes should not be used. Data subjects should be informed that their consent can be withdrawn at any time and alerted to how this can be achieved. Evidence of when and how consent was given should be retained. Determine how the ages of children will be verified and consent obtained from parents or guardians, if applicable.
Ensure that all contracts with partners, suppliers, contractors, and data processors are compliant with the GDPR and undertake due diligence prior to the commencement of any new arrangement in order to avoid any impact or penalty resulting from the actions of another party. Responsibilities and liabilities between processors and controllers must be clarified so each is definite about their role in the processing of data. It must be confirmed that processors are obliged to report breaches to data controllers.
Preparing for the GDPR requires time, effort, and thoughtful planning, and may present significant challenges to those responsible for the management of data in an organisation. However, while compliance is legal obligation, it is also in the best interests of MSMEs. It will be advantageous for earning the trust of customers, the prevention of large and potentially devastating fines, and enhance their ability to compete with larger rivals.
Critically, it is a prompt too, for organisations to consider what data are held by them, how it is collected, stored, or utilised, and provides an opportunity to improve policies in these areas.
The time to prepare for the GDPR is now. Shortcomings after May 25th, 2018 could cost MSMEs dearly.
This blog post contains general information about the GDPR. It is not intended to provide a comprehensive or detailed statement of the law and its content is for informational purposes only. RIKON is not a law firm and is not providing legal advice. Specific legal advice should be sought before taking or refraining from any action in relation to the matters outlined. RIKON expressly exclude and disclaim liability for any cost, expense, loss, or damage suffered or incurred by reliance on this information, including (without limitation) as a result of misstatements, errors, and omissions.