GDPR - An Overview
The General Data Protection Regulation (GDPR) has forever changed the way that businesses handle customer data. Backed with the threat of fines of up too €20,000,000 for non-compliance, GDPR seeks to ensure customer privacy and uniform regulation across the EEC. However, it is not without controversy, with Over 51% of Small to Medium businesses (SME's) struggling to implement GDPR into their existing processes, commentators have lampooned the act as too complex to practically enforce, and standing at over 11 Chapters and 99 articles it is easy to see why.
To further complicate matters GDPR is not a static regulation and must evolve regularly to adapt to new changes. This means that many businesses who have worked to implement GDPR may find themselves non-compliant if they fail to incorporate any subsequent amendments. With this in mind at HARE.digital, we are working with SME's to ensure that have systems in place that are able to ensure compliance irrespective of any amendments made.
Does GDPR affect me?
With Brexit on the horizon, the jurisdiction of GDPR has been a point of confusion for many SME's. Whilst generally speaking the remit of most EU Directives is limited to 28 (27) Member States, GDPR extends its territorial scope beyond the EU and encompasses the EEC and all entities trading within it. It is worth remembering that following Brexit the UK withdrawal from the EU takes place over a cross-over period of 2 years. This means that when the UK leaves the EU it will still be subject to its regulation until this time. The current academic literature suggests that even after this point the UK and businesses trading within it will still stand to be bound by the extraterritorial reach of GDPR. It seems that whether businesses interact with an EU clientele or not may prove to be irrelevant. The jurisdiction of GDPR is extended by virtue of the wording in Art. 3. In which it explicitly states that the legislation shall bind all businesses established in the EU. This essentially means that irrespective of the March 29th Brexit result the UK must ensure that its data storage and utilization is the complaint.
Am I GDPR Compliant?
The reality of GDPR is that there is no simple solution. By design. it requires a systematic change in the way that companies collect and utilize data. Businesses that want to be fully compliant must adopt the same mentality as the legislature that originally drafted GDPR. It is an ongoing process that is subject to continued evolution and change. A recent example of this is the extension of anti-fraud protection which will affect all businesses that process orders online. As of September 14th, businesses will be required to implement 2-factor authentication on all purchases, those who don't stand to lose out on conversion. The Strong Customer Authentication (SCA) amendment of GDPR has been announced without much coverage. Further displaying the evolving and complex nature of GDPR.
As it stands only 20% of businesses are GDPR compliant with 27% currently in the implementation phase. This means that 53% of businesses have yet to adapt their current data handling processes to incorporate GDPR regulation. Perhaps even more shockingly, the Ponemon Institute in its report 'The Race to GDPR' found that over 60% of tech-businesses had yet to make the change. Unfortunately, the reality is, if you have to ask the question 'Am I complaint?' the overwhelming likelihood is that you are not.
The same study also identified that a near majority of businesses understood that they needed to be GDPR compliant but did not know what they had to do in order to implement it.
Many companies do not understand what is required to be in compliance. Forty-seven per cent of respondents do not know where to begin their path to compliance.
What is expected of SME's? Below are some of the basic rights afforded to individuals under GDPR, consider how many of these you have implemented into your business practices;
- The right to access – Individuals are entitled to request access to the Data that you have on record and to be informed about the ways in which you are using the data. Businesses are obligated to provide a copy of this data on request.
- The right to be forgotten – Customers maintain the right to request that their data be removed from your records at any point and without prior reason. Whilst this seems trivial it requires that companies have a process by which they can quickly access and remove all data associated with a given individual.
- The right to be informed – Individuals must be informed before Data is gathered. At this point, individuals have the right to opt out. This means they can request that their data be removed from your records.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right to object – Individuals have the right to object to the processing of their data for marketing or sales purposes. This must occur immediately after the request is made.
- The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach
How can I ensure I am GDPR Complaint?
Whilst GDPR is a complex and often treacherous path to navigate, there are ways to ensure that you remain on the right-side of regulation. The best way to become fully compliant is to adopt a GDPR Strategy, this involves prioritizing different aspects of the regulation against the systems that you currently have in place and allocating resources to ensure compliance.
At Hare.digital we have created a GDPR & Digital Transformation Audit, hosted on the Harehub Project Management platform. This outlines the requirements of GDPR in plain English and allows businesses to work their way through the different aspects of the regulation in a checklist format. Since it is hosted on your very own Project Management System you can track your progress, invite your team members and even request advice and help, all from the Harehub platform.
We have coupled our GDPR Checklist with advice on Digital Transformation, as mentioned earlier, part of becoming compliant is the adoption of technologies that facilitate the collection and storage of personal information in a manner that adheres to the GDPR regulations.
Another important aspect of this to consider is the mitigation of some of the potential consequences associated with GDPR. For example, security and protection against Data Breaches have become an absolute priority for SME's following GDPR. Article 33 'Notification of a personal data breach to the supervisory authority'. This, as mentioned earlier requires the business to notify individuals in the event of a data breach. This is a proverbial hemlock sip for any businesses attempting to garner the trust of their customers.
Ensure your business is compliant with our GDPR & Digital Transformation Checklist