What Does GDPR Mean for Your Company?
Companies have less than three months to comply with the General Data Protection Regulation, which comes into effect on 25 May. Enforcing stricter data-handling rules and fines for noncompliance, GDPR puts a load of new responsibilities on companies. Let’s break down what they mean for your business.
What Is GDPR?
The purpose of GDPR is to give EU citizens more control over their personal data. The new legislation will affect businesses who process personal data of European citizens. Online stores operating outside of the EU borders whose services or products are available to EU citizens have to comply with the new legislation as well.
There are rumors that GDPR concerns only enterprises, sparing companies hiring fewer than 250 employees. We debunk this. Even solopreneurs who process personal information of their clients have to comply with the new regulations.
Under the GDPR, personal data itself is expanded to now include:
- IP address
- Biometric data (fingerprints, facial images)
- Health data
- Genetic data
There are also special categories of personal data.
How GDPR Affects Businesses
According to the new regulations, companies should store personal data of their customers only for the time required to complete service/transaction the customers agreed on. In other words, if your customers aren’t using your services for a while, you have no legal right to hold on to their data (unless, of course, stated otherwise in their consent).
Consent to Process Data
The consent to data processing has also been reshaped under the GDPR. Forget about simple email form and a ticked consent box. GDPR requires businesses to present the consent as a separate document that explicitly states the intent of the company to process user data.
Fair Processing Notices
Fair processing notices aim to explain to your customers how you’re handling their data. They should contain the following information:
- The purpose of processing personal data along with documents confirming legal rights to do so (e.g. consent)
- How long you’ll be storing personal data
- With whom the personal data might be shared (suppliers, employees, etc.)
- The existence of data subject’s rights
Who Is a Data Protection Officer (DPO) and Do I Need One?
The role of a DPO is to monitor company’s GDPR compliance and ensure whether appropriate systems, responses, and strategies are implemented.
Organizations that need a DPO:
- Public bodies
- Companies performing regular and systematic monitoring and processing activities
- Businesses processing data or special category data on a large scale
The “large scale” in the last bullet isn’t strictly defined and is debatable. Check with a professional if your company falls into that category and needs a DPO.
Penalties for Non-Compliance
One of the GDPR requirements is to report data breaches to all affected users. The notification timeframe is 72 hours post breach.
The penalties for noncompliance vary depending on the severity of the GDPR violation. That said, worst case scenarios can be fined up to €20 million or 4% of yearly global turnover (whichever higher).
It’s of paramount importance for companies to check that all of their suppliers and contractors are GDPR-compliant. This can decrease the risks involved in data breaches and ensuing penalties.
Factors influencing administrative fines:
- Type and severity of the violation
- Previous history of violations
- Categories of affected personal data
- Intent or negligence
- Extent of harm
- Harm mitigation efforts
- Reporting the occurrence of violation (e.g. data breach)
- Controller’s or processor’s degree of responsibility
Why GDPR Is Good for Your Business
With all the hassle involved in making a company compliant with the new GDPR laws, the legislation might seem like a burden and additional expenditure to business owners. But you can use GDPR to your benefit—being compliant with GDPR and stating clearly how you handle personal data of your customers will make you reliable and trustworthy in their eyes.
Become GDPR-Compliant Before There’s Still Time
To avoid financial penalties, ensure your company is ready before the clock strikes midnight on the 24th of May. There’s still time to review, modify, and upgrade all systems and policies so that they adhere to the new regulations. We can help you prepare your online assets to be GDPR-compliant and determine whether you need a data protection officer.
Short GDPR-Preparedness Checklist
- Review your consents to processing data
- Train your employees
- Triple-check your security measures
- Review and categorize the data you’re storing
- Check if your suppliers are GDPR-compliant
Polcode is an international full-cycle software house with over 1,200 completed projects. Propelled by passion and ambition, we’ve coded for over 800 businesses across the globe. If you want to talk in detail about your IT project, contact us. We’ll be happy to help you get your idea off the ground.