The GDPR is set to become enforced from the 25 May 2018, after being approved in 2016 following four years of debate. It is set to affect practically every business, with heavy fines in place for those who don't comply.
So, what exactly is GDPR, and what does it mean for your business? Read on to find the answers to the most pressing questions you probably have in our GDPR summary.
The General Data Protection Regulation, aka GDPR, has been created with the aim of giving citizens of the EU more protection over their personal data, and how it's used by companies. It will replace the Data Protection Directive 95/46/EC when it comes into effect, and will unify data privacy laws within Europe to hopefully create a clearer and better-enforced system that gives more control to members of the public.
The term 'Big Data' has become commonplace in recent years, and for good reason; we're now producing 2.5 quintillion bytes every day globally, and 90% of the world's existing data has been generated within the last two years alone, according to a report from IBM.
These numbers may be hard to comprehend, but the reality is that data affects us all, each and every day. How many online forms have you filled in this week, for example? Have you ever worried what the company will use that information for? With current laws only protecting names, addresses, and photos, it was clear a more relevant solution was needed - and this is where the EU GDPR comes in, offering a much more in-depth level of protection to personal data.
Basically, any kind of information that could be used to reveal someone's identity, be it directly or indirectly. So things like their name, photo, email address, location data, bank details, passport number, social media posts, IP address, fingerprint and medical details.
Following the introduction of GDPR, personal data will become more protected and therefore companies looking to gain consent to use it will find a much bigger challenge awaits. Companies must make sure that, when consent is requested, it is clear for what purpose and the language used is easy to understand. It's also necessary for companies to make withdrawing consent an easy and straightforward process for those who have previously allowed them to use their data.
According to the Information Commissioner's Office (ICO), organisations must:
"..... put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
In order to ensure that their personal information is protected, the GDPR will provide customers with eight fundamental rights. These are:
The Right to be Informed - You must be clear regarding how the individual’s data was collected, and what it’s being used for.
The Right of Access - Individuals should be able to find out the personal information that you have on file for them.
The Right to Rectification - Citizens must be able to correct inaccurate or incomplete information.
The Right to Erasure - AKA ‘the right to be forgotten’, individuals should be allowed to request that their information is deleted, and companies have just one month to respond.
The Right to Restrict Processing - Individuals are allowed to limit the use of their personal information in some cases.
The Right to Data Portability - Individuals can reuse the data for their own purposes, moving, copying, or transferring it to another service quickly and easily.
The Right to Object - In some specific circumstances, individuals can prevent their information being used entirely, for example for direct marketing purposes.
Rights Related to Automated Decision Making Including Profiling - Using automated systems to process information about someone, in the case of making a decision, is not allowed under some conditions in the new legislation.
The GDPR data protection legislation will apply to every company that sells products or services to customers within the EU, even if they’re based outside of it. It is not even necessary for a monetary transaction to have taken place in order for these rules to apply.
It's also essential to have a good understanding of the different roles within a company that will have responsibility for ensuring it is following GDPR rules. These are the data controller and the data processor. Here's the difference:
Data Controller - An individual or company/ another body who has the overall responsibility of gathering personal data, and determining how it's used.
Data Processor - A person (or group of people) who processes personal data, but doesn't actually have any authority over it, for example, an accountant.
The main takeaway here is that it's the data controller who must make sure that their company's use of personal data complies with GDPR requirements, and if it doesn't it will be them who're held liable. The data processor, on the other hand, must ensure that the controllers they work with are adhering to GDPR rules.
Given the serious legal implications involved, it's essential that all employees understand their role and exactly how the new regulations impact your company.
By the time GDPR comes into effect on May 25th, 2018, all companies that sell within the EU must be compliant or they'll receive a fine. In order to do so you should stick to these guidelines:
Collection - The reason for gathering data must be made clear, and it must be for a legitimate intent.
Processing - The data has to be used in a law-abiding and fair way, with full transparency.
Scope - The breadth of the data must be relevant to what is actually needed.
Accuracy - The data must be free of errors as much as possible and kept up to date.
Security - The handling of the data must be done in a way that keeps it confidential.
Time - The data can only be held for the time it is needed, and no longer.
In order to make sure your company is following the new legislation, you should carry out the following four steps as soon as possible:
Identify - Establish what personal data your company currently holds, where it is being held and who has access to it.
Streamline - Bin any GDPR-applicable data that's not essential to your business, and limit the number of places and systems that all other personal data exists.
Encryption - Keep confidential data secure and safe from potential cyber attacks by encrypting it.
Control - Keep personal data behind an authentication process that contains a number of elements to it, and keep access limited to only those who need it as part of their job function.
If all of this sounds rather complex, it's probably worthwhile investing in compliance training for you and your team, as well as legal advice from someone specialised in the area. This will make the process much more efficient and leave you reassured that you have all the bases covered.
If you don't ensure that your business is compliant with GDPR regulations by the time it comes into force, you could face hefty fines. These exist in a two-tiered system, depending on how serious the breach is. The biggest violations, for example not having adequate customer consent before using their information, come with a maximum fine of 4 percent of a business’ total turnover, or 20 million euros (whichever is more).
For less serious infractions, such as not having fully-organised records, a maximum fine of 2 percent of a company's total revenue, or 10 million euros might be imposed.
Any company can appoint a DPO if they so wish, but it's worth noting that in some cases it's obligatory. This includes organisations that:
Are public authorities (minus courts working in a judicial manner)
Practice extensive systematic tracking of individuals
Practice extensive handling of sensitive data relating to individuals
If your company or organisations doesn't fall into any of these three categories, you don't have to appoint a DPO. However, you must still ensure that your team has adequate knowledge and skills to fulfil your company's responsibilities under GDPR.
Although UK Prime Minister Theresa May has revealed the process of leaving the EU will begin on the 29th March 2019, it's likely to take at least two years, so UK businesses must still be ready for GDPR.
Of course, if your business sells products or services to those located in other EU countries you'll need to be compliant anyway, but if you only sell within the UK, things are less certain. However, given the UK government’s support for the GDPR, it is probably wise to expect that UK legislation surrounding personal data is likely to follow the same route.
The Global Database business directory contains a wealth of insights on companies in 195 countries, including those within the EU. However, all of this data is collected solely from public sources; for example, within the UK the majority of the data is sourced from Companies House, including company name, financials, ownership, group structure, director's name, nationality, date of birth.
We also crawl the internet, collecting data from company websites, government organisations, chambers of commerce, social media pages, Wikipedia, trade shows, and different business directories for additional data that will enrich a certain company or employee.
Global Database's online platform offers a wide range of non-personal (and therefore GDPR-compliant) data that can have a real impact on your business activities. This includes things like profit and loss accounts, balance sheet and cash flow, number of employees, corporate ownership, group structure, year established, technology insights, credit reports and more.
Far from becoming useless when GDPR comes into force, the database will continue to be an incredibly powerful resource that can be used in several ways to aid your marketing campaigns and boost your business growth. Here are a few ideas:
Market Research - Using information such as revenue, technologies used, company size and location, you can see what niches are doing well, and predict your future results when you're entering a new market.
Competitor Insights - See how your business is holding up against others in your market by looking at their financials, company size and digital insights (including website visitors and Alexa ranking). See what's working for them and what their current weaknesses are, and exploit any potential gaps in the market.
Due Diligence Checks - Avoid risky deals by carrying out background checks on potential business partners, suppliers, or clients, with detailed insights such as credit scores, financial information, company size, mortgages and charges and company structure information.
Marketing Campaigns - Build highly-targeted contact lists for the right kind of companies to suit your product or service, then email them using the company (and non-personal) email addresses. With millions of companies covering every industry, you're sure to find plenty of new leads to reach out to.
With the implementation of the new regulations just around the corner, it's vital to start preparing now in order to avoid those hefty GDPR fines. If you're feeling overwhelmed it's advisable to seek advice from a legal expert in order to ensure you have everything covered. While it may seem like a lot of work, it's far better to complete the process thoroughly now and ensure your team are adequately informed in order to avoid any infractions in the future.
To find out more about how the GDPR-compliant data offered by Global Database can fuel your business activities, contact us to book a demo or have a quick chat with our representative.