Becoming GDPR compliant: What on earth does that mean?

My Accountant Friend

If, like most people, you’ve subscribed to a number of newsletters and online services, the likelihood is that you’re suddenly being inundated with emails talking about “GDPR compliance”.

While it might appear on first glance to have something to do with Pound Sterling, it’s actually related to the EU’s changing position on personal data.

We thought we’d take a look under the hood and create a kind of At-A-Glance Guide to GDPR.

We hope you find it useful. What is GDPR? GDPR stands for General Data Protection Regulation.

In short, it’s a regulation being brought in by the EU to enable its citizens to have more control over their personal data.

It also seeks to regulate and simplify the way in which we understand how our data is being used.

When does this GDPR come into force?

GDPR was actually adopted on April 27, 2016, so most companies have been aware of it for about two years. However, it will be enforced on May 25, 2018, which is why you’re hearing more about it now.

As a subscriber to various online services and newsletters, what should I do?

You don’t have to do anything. However, if you want to continue receiving whatever you’ve subscribed to, you should read the emails you receive and opt in or out of whatever it is you’re being offered.

The onus is on the company contacting you to show that they’re compliant with the new regulations, so they’re contacting you to make sure your subscription is fully up-to-date in a legally binding way.

You can see this as a moment in which to redouble your support for them, or to drop out of a newsletter you’ve long-since stopped reading.

As a small business owner, will I be affected by GDPR?

If you’re operating within the EU and you’re dealing with the general public in some way or another then, yes, you will be affected.

The regulation talks about being a ‘data controller’ and/or a ‘data processor’.

It’s somewhat ironic that a regulation that seeks transparency should be clouded in this kind of terminology, but the likelihood is that you and your company could be classed as controllers, if not processors as well.

A ‘data controller’ in GDPR terms means an entity that holds (or ‘controls’) the data of others.

A ‘data processor’ is an entity that makes use of that data.

The official example is of a small business that makes use of an external PAYE service.

The small business collects data from its employees (bank account details, NI numbers, etc) and the external service processes that data (ie, pays the employees on behalf of the company they work for).

In this example we see ‘data controller’ and ‘data processor’ working side by side.

There are other situations in which you might be considered a data controller or data processor, of course. Most modern businesses, whatever their size, make use of digital marketing.

If you collect data in any way – via cookies on your website (yes, IP addresses are also now considered personal data and therefore fall under this regulation), via email signup forms, by collecting mailing addresses on the street – you’re in control (a controller) of other people’s data.

You might have a social media expert on staff who uses that data to create targeted advertising on Facebook or Twitter.

In which case, you’re also a data processor. Either way, you need to be GDPR compliant.

If you sell things online and you store credit card information and the home addresses of your customers in order to upsell to them at a later date, you are both data controller and data processor. For either position, you need to be GDPR compliant.

As the official example above suggests, if you employ someone and you have a finance department of any size, shape or form, then you will have collected and stored PAYE data from your employees.

In which case – you guessed it – you need to be GDPR compliant.

In short, if you’re holding on to any form of data regarding anyone who interacts with your business, you need to get your house in order. The penalties are too great to risk ignoring GDPR.

How do I make sure I’m GDPR compliant?

Unfortunately, there’s no easy answer to this.

You can’t simply flick a switch and hope for the best (although some friendly services like Mailchimp have certainly made some of the compliancy a lot easier).

Our advice would be to make yourself aware of GDPR requirements, which you can do by reading the office webpage:

Do I have to employ someone who understands GDPR?

Not exactly. What the regulation does require is a member of staff who can undertake the role of Data Protection Officer.

For larger organisations that deal with large-scale data processing, this may well be a new position.

For most smaller companies, the requirement is for someone holding a DPO position to stay abreast of the latest developments and legalities, to ensure that other members of the company are fully up-to-date on what is required, and to keep all necessary policy documentation up-to-date and acted upon.

The DPO will ensure that the company’s customers or clients understand its data and privacy policies, as well as being the point of contact for anyone requiring data-related information (including helping them access their data that they company has collected, and making sure that their ‘right to be forgotten’ is easily activated and ensured).

The DPO is also expected to keep all records relating to the collection and processing of data up-to-date, understanding (and being able to explain) how data is collected, how it is currently processed and how the company intends to process it.

In the case of a data breach, it would be the DPO’s responsibility to inform those with data held within your database immediately.

What is the ‘right to be forgotten’?

Just as you are legally bound to make sure your customers and clients understand why you need their data and what you plan to do with it, you are also required to ensure that their data can be erased once it is no longer being put to use.

This is known as ‘the right to be forgotten’, and it addresses concerns that data is often held onto or even sold/shared with third parties without the owner’s consent.

What are the penalties if my company is found not to be compliant with GDPR after May 25th?

For a small business, the penalties could be disastrous. SMEs will be treated on a two-tier approach to GDPR compliance.

Tier 1 will consider “less serious” breaches of the regulations, such as an administrative failure in record keeping, and could result in a fine of 2% of turnover or €10 million.

A Tier 2 breach, which looks at more serious situations such as blatant disregard of regulations, could see fines of double the above. Will Brexit have an effect on GDPR? In short, no it won’t.

While Britain is leaving the EU next year, GDPR will be enforced a month from now (at the time of writing), at which point Britain will still be inside the EU.

For more information on GDPR, we recommend looking carefully at the official EU website on the subject.

While we have done our best to ensure that all information in this article is up-to-date and correct at the time of writing, we would suggest that anyone with real concerns about their GDPR compliance seeks legal assurance as soon as possible.