As geopolitical tensions between the East and West rise, sanctions and souring relations could have lasting impacts on business globally.
Considering the previous EU data protection directive was set up in 1995, privacy laws have long been due an update. But what about your online business? Will it be compliant with the new rules? And what happens if you break them?
Well, fines for breaching GDPR can run to millions of euros, so it clearly pays to get your house in order. With the way time flies it’ll be May 2018 before we know it, so let’s take a look at what’s coming and how to prepare for it.
What are the new rules?
One of the biggest changes to previous rules is the increased territorial scope of GDPR. Prior rules were vague on where jurisdiction applied, but the new legislation makes it perfectly clear. Any business processing or controlling data within the EU is governed by these laws, even if the data is actually sent outside the EU for processing. Additionally, any company based outside the EU but offering services and goods to EU citizens, or monitoring their behaviour, must comply with the new rules.
The new rules are extensive, but some of the changes are:
- The maximum fine for serious data breaches is the higher figure of either €20 million or 4% of annual global turnover; there is a tiered approach, so less severe issues are fined at a lower rate.
- Consent to collect data must now be obtained much more clearly and explicitly - companies cannot bury automatic consent in terms and conditions and it must be as easy to withdraw consent as it was to give it.
- Systems must now be built on a foundation of ‘privacy by design’ that includes data protection as a central component of systems, rather than a later addition.
What impact could it have on online businesses?
Your customers need to give their express consent for you to store their data, and be well informed about what happens with it once they have consented. Many businesses already do this; offering several unticked checkboxes that allow new users signing up to opt in to company news but not new product offers, for example.
If you have previously collected customer consent, you may need to review how this was done. Generally, it looks as if pre-existing consent will remain valid, as long as it meets the new requirements. However, if you collected data without express consent, or age requirements were not met, you’ll need to go back and get your customer’s permission again in order to comply with the rules.
You will still be allowed to collect personal data about a customer when they make an online purchase; you do not require consent for this because it is necessary for the completion of the contract.
Best business practices for keeping compliant
Being compliant with the GDPR is not only about protecting your customers, it’s about protecting your business from the financial, reputational and legal ramifications of breaching policy. You have plenty of time to prepare, so follow these best practices to help avoid falling foul of GDPR:
- In order to check your obligations, you first need to understand how your business collects and processes information; create a chart that depicts the flow of data through your business and the systems that use it.
- Remember to also document the flow of information to third parties - users have the ‘right to be forgotten’, so you need to be able to easily contact others who have accessed or received data you collected.
- From your data map, you should look to identify any compliance risks, such as opaque terms and conditions or a lack of explicit consent.
- Set up an Information Governance Framework (IGF) to record how you process data and the protocol that needs to be followed; you can be fined if you don’t maintain records.
- Incorporate ‘privacy by design’ into any new initiatives; make protecting your customer’s rights and data a core function of your websites and advertising.
- Familiarise yourself with the new rights data subjects will enjoy, such as the ‘right to be forgotten’, ‘right of data portability’ and ‘right to restrict processing’.
The sooner you update your data policies, the easier it will be to avoid disruption when the new laws come into effect next May.