Only two months left before GDPR is implemented any eligible organisation not following the regulations could suffer colossal penalties, as much as four percent of the company's annual turnover or 20,000,000 Euro’s whichever is the Greater!
Does GDPR applies to you?
Only half of UK businesses are even aware of GDPR, whilst a solitary three percent are prepared for the upcoming Cut-off date. Many large organisations such as eBay, Yahoo and Adobe have had data breaches. Therefore many companies assume that the new regulations only apply to companies dealing with personal data -unfortunately this is not the case!
In this brief article, we help you to understand whether your organisation needs to get compliant fast, and how we can help get your business out of the GDPR firing line.
-
Don’t get caught out
In the wake of infamous security data breaches, the EU parliament has taken steps to keep European citizen’s data safe, while forcing organisations to think differently about data privacy. Though many assume these regulations only apply to large companies, any business that provides a service or collects data on any EU citizen will be affected by GDPR and is encouraged to take action before the deadline – 25th of May 2018.
-
You process EU citizen data
GDPR is being launched to protect European citizens wherever they are located. Companies operating outside Europe might think they have side-stepped the legislation. However, any organisation processing or collecting data on EU citizens are accountable for GDPR compliance and failure to do so, means they are exposed to these massive penalties.
There has been confusion over whether GDPR affects the UK after the decision to leave the European Union. However, the UK will be operating under the GDPR guidelines, with the UK government indicating they will implement a UK equivalent after Brexit.
-
You have more than 250 employees
Companies who employ more than 250 people are expected to follow the GDPR regulations in full. This includes the requirement to keep complete records of data processing and controlling.
While there have been rumours that GDPR does not apply to small and medium-sized enterprises (SMEs), this is untrue. It’s understood that SMEs pose a much smaller risk to data privacy than their larger competitors, SMEs are not exempt from the incoming regulations. What they are exempt from is the obligation to keep detailed internal data records, and instead will only need to do so if they are handling particularly sensitive data, such as criminal convictions or ethnic origins.
-
Your consent forms are unclear
One of the main goals of GDPR is to empower EU citizens to be confident in knowing who is accessing their data and to understand when they are giving organisations consent to use it. More than half of IT decision-makers have said that citizen’s Personal Identifiable Information (PII) data being protected is the key benefit of GDPR to EU citizens.
To achieve this, all company forms, which are designed to gather data for processing, will need to be written in clear plain language. Terms will no longer be ambiguous or feature legal terms users may have difficulty understanding. Indeed, consent will need to be clear and distinct. Going forward, users must be able to withdraw their consent straightforwardly.
-
You control EU citizen data
Data controllers differ from Data processors, but they both must accept compliance with the GDPR.
But which one are you?
A data controller determines the purpose and conditions of processing personal data. Data processors are the entity that processes this data on behalf of the controller.
For example, a utility company like British Telecom may share their customer data with a call centre that are providing customer service management. In this example, British Telecom is the data controller, while the call centre is the data processor.
Whilst it is the controller’s responsibility to make sure that their processors are following the GDPR, processors must also endure the rules to avoid penalties.