Everything you need to know about GDPR
HR Tips Stefan Kingham
My mum is leaving it awfully close to the GDPR deadline to ask if I want to opt in to receive her emails, calls and texts.— Sharon O'Dea (@sharonodea) May 15, 2018
GDPR has been on many organisations’ corporate minds ever since it was approved by the European Parliament back in April 2016 and seems to be on everyone’s lips at the moment. So much so that GDPRday is currently trending on Twitter and a Google search of “GDPR” brings up over 118 million results. That’s almost 4 times as many searches as TV show “Westworld” but still 2 times less than “cute cats”. Any more random insights, anyone?
All joking aside, the GDPR is set to revolutionize the way companies process personal data and empower EU citizens to take back control, and we for one believe it was about time. So, without further ado, let’s get stuck in.
What’s this whole GDPR thing about?
GDPR stands for General Data Protection Regulation. Sounds particularly dull, doesn’t it? But see, it’s actually quite interesting if you look beyond the legal jargon and latch on to what it really means.
In a nutshell, GDPR is a regulation in EU law on data protection and privacy for all individuals within the EU and the European Economic Area. It basically aims to give control back to citizens over their personal data and harmonize data protection law across the European market.
The GDPR replaces the 1995 EU Data Protection Directive and takes effect today.
Lot of films aren’t GDPR compliant, actually. pic.twitter.com/sXkynSBWRy— Ian B (@TheAdmiral) May 21, 2018
What are companies and consumers saying about GDPR?
While it’s difficult to estimate what percentage of companies agree with GDPR, it’s fair to imagine that the majority of organizations recognize the need for this new regulation and actually support it. After all, GDPR isn’t necessarily bad for business, au contraire!
Wait what, how is GDPR actually good news for companies based in the EU?
- Harmonized data protections laws across the whole continent mean that all companies operating in Europe will abide by the same rules, regulations and conditions regarding data protection. (This was NOT the case before GDPR!).
- In theory, GDPR-compliant companies will generate a higher level of trust and therefore gain an advantage over competitors who don’t comply.
- GDPR focuses on first-party data, i.e data of the highest quality that comes directly from customers. In other words, GDPR-compliant companies will have access to better data, and in principle, better leads.
And seeing as the arrival of GDPR will put the control of personal data back into the hands of the individual, consumers have mostly welcomed this change.
Happy #GDPR day! The world looks so different now doesn't it? Like everyone you meet just has this air of newfound respect for personal information.— Matt Collins (@charitychap) May 25, 2018
Why was GDPR initially drafted?
So, let’s be honest. Businesses have been engaging in dodgy data practices for years. The recent Facebook-Cambridge Analytica scandal certainly brought the debate on user data privacy to the spotlight, but let’s not kid ourselves into thinking this is a new phenomenon.
In case you missed Mark Zuckerberg's Cambridge Analytic apology, here's an executive summary. pic.twitter.com/G23sPRuyQW— Greg Flannigan (@gregflannigan) March 21, 2018
Deutsche Telekom, Europe’s biggest telecommunications firm at the time, confirmed in 2008 the theft of personal data of more than 17 million of its mobile phone customers, including politicians, ministers and TV stars! Oh yea, and Yahoo casually disclosed that all of its 3 billion email users were most likely compromised in a data breach back in 2013.
The internet has changed A LOT since 1995 and data privacy regulations were in desperate need of an update!
As well as the whole need to ensure data privacy regulations were up to date with current practices, the EU also wanted to give organizations more clarity with regards to the legal environment that dictates how they can behave. Why? Because the EU predicts that companies could collectively save €2.3 billion annually by making data protection laws identical throughout member states.
What is GDPR compliance?
In order for a company to be GDPR compliant, they must abide by the following principles:
- Data must be processed lawfully, fairly and in a transparent manner in relation to individuals (lawfulness, fairness and transparency)
- Data can only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
- The scope of the data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
- Data must be accurate and, where necessary, kept up to date (accuracy)
- Data can only be held for the absolute time necessary and no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
- Data must be processed in a manner that ensures appropriate security of the personal data (integrity and confidentiality)
There are several other requirements to take into account too, check out this handy GDPR checklist to harden your GDPR compliancy!
Who does GDPR apply to?
GDPR basically applies to any organisation that operates within the EU, as well as any organisation outside of the EU that offers goods or services to customers or businesses based in the EU. And if you really think about it, that pretty much encompasses every major corporation in the world!
The legislation applies to two different types of data-handlers: ‘processors’ and ‘controllers’, the definitions of which are stipulated in Article 4 of the General Data Protection Regulation.
While a data controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”, a data processor on the other hand “processes personal data on behalf of the controller”.
He's making a list— joe (@mutablejoe) May 20, 2018
He's checking it twice
He's gonna find out who's naughty or nice
Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679
In addition, while the GDPR broadly expects all SMEs to comply in full with the legislation, it does still make some exceptions for organizations with less than 250 employees.
In actual fact, article 30 of the Regulation states that organizations that have fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries to is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
Are companies ready for GDPR?
If recent surveys are to be believed, then no, not really.
Around 60% of UK businesses and under half of EU organizations are prepared for GDPR according to a study released yesterday by Spiceworks. The situation is even more critical in the U.S., but then again not all American organizations are impacted by the GDPR.
Interestingly, more than 60% of the organizations in Europe that don’t expect to be compliant by the deadline actually cite a lack of time/resources as the primary reason, while 27% claim it’s just not one of their company’s priorities.
While these survey results are clearly quite underwhelming and seem to point to a general lack of concern from organizations impacted by GDPR, 54% of European organizations will nonetheless train employees in preparation of GDPR while 48% of them intend to work with third-party consultants.
33% of them even expect to spend between $10,000 and $50,000 on GDPR compliance activities!
What happens if companies don’t comply with GDPR?
Non-compliance can result in fines of up to 4% of global revenue. Now 4% might not seem all that catastrophical for SMEs, but for major corporations we’re talking about millions and millions of dollars in penalties.
Non-compliant companies will be fined at different rates depending on the seriousness of the infringement. So, if you don’t have your records in order or forget to notify the supervising authority, you might only be fined 2% of your company’s global revenue.
If, on the other hand, you violate the basic principles related to data security and conditions for consumer content, you’ll get the full 4% fine.
As you may have understood by now, companies wishing to be fully compliant with GDPR will have to report all data breaches to the relevant supervisory authority in a certain amount of time in order to avoid getting fined.
As of now though, there are still no requirements under the GDPR specifying when affected EU residents must be notified.
Well, there you have it. You’re now a master of all things GDPR.
But before you run off to the hills in a desperate attempt to escape the grasp of data privacy regulations, there’s one last little thing we’d like to share with you… 😉
Every single day— Honeypot (@honeypotio) May 24, 2018
Every word you say
Every game you play
Every night you stay
I'll be watching you in full concordance with the legal requirements stipulated in the General Data Protection Regulation (EU) 2016/679
Looking for tech talents? Join Honeypot!
Over 1,000 candidates sign up weekly and over 1,500 companies hiring with us.