The EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018, is the most significant change in the digital world since the turn of the millennium and has affected businesses on a global scale. Essentially, the GDPR comprises a set of laws designed to control the handling of consumers’ personal data. Adherence to the requirements of the GDPR is compulsory, with stiff penalties imposed for non-compliance. In this article, you can find out if and how the GDPR applies to your business and how you can ensure your business is compliant and protected.
Does the GDPR apply to your business?
If you have a business that deals with the personal data of European citizens in any way, shape or form, you are required to comply with the regulations of the GDPR. This applies regardless of where your data is held; for example, your website may be hosted in the United States, but, as a UK or EU-based business, you are still bound by the laws of the GDPR. Despite Brexit, UK-based businesses must also adhere to the GDPR, as the regulations of the GDPR have been written into UK law. Moreover, any business, globally, which offers goods and services to people in the EU or has a database that may include details of consumers from the EU, is required to comply. In response to this, many countries worldwide have drafted or are in the process of drafting complementary local laws, meaning the GDPR truly has had a global impact.
An important aspect of how the GDPR may affect your business is the expanded definition of what had previously been understood as ‘private data’. Before, private data that needed to be protected included information such as the names, addresses and billing details of consumers. Now, the definition of private data has been extended to include internet browsing habits collected by website cookies, location data and other online identifiers, as well as genetic data. It is for this reason that a significant number of businesses that would not have previously been bound by EU privacy laws have now been included in the GDPR, merely due to their website analytics, if nothing else.
The GDPR’s impact on how your business deals with personal data
There are a number of GDPR regulations that dictate how your business deals with personal data. We’ve summarised key points below.
» Consent: Under the GDPR, consumer consent for all data-related business activities needs to be explicit and provable. This means that consent for such as mailing lists and website cookies cannot be implicit or assumed; consumers need to explicitly agree to participate. Cold e-mailing and automatic cookie notices are a thing of the past.
» Protection: Once consented to per GDPR regulations, consumer data collected needs to be protected with appropriate cybersecurity protocols. This includes continually assessing and addressing your cybersecurity risks. Should a data breach occur due to cybersecurity measures that are inadequate per the GDPR, your business will be held liable and penalised. Find out more about ensuring your business is compliant and protected in this respect below.
» Breaches: If a cybersecurity breach occurs, and consumer data is compromised, the business is required to report the breach within 72 hours. A breach that threatens any kind of risk to the consumer needs to be reported to the relevant authorities and the consumer/s affected.
How to ensure your business is compliant and protected
According to a 2019 study undertaken by the UK government, 26% of businesses admitted to not being fully compliant with GDPR regulations. The study also found that 49% of businesses do not believe the GDPR has made their business safer from cybercrime, with many findings some of the regulations difficult to interpret or unnecessary to apply.
With penalties of up to €20 million or 4% of annual turnover, whichever is greater, being in any way non-compliant is not a position you want to find your business in. The truth is, investing in the improvement of your business’s cybersecurity and adherence to the GDPR need not be exorbitant or inconvenient. You simply need to identify the specific risks to your business, instead of employing an inefficient and ironically ineffective one-size-fits-all blanket approach. The comprehensive roster of cybersecurity services offered by Numata Cybersecurity will ensure your business is GDPR compliant and protected against cybercrime, providing cybersecurity awareness training, and helping your business to identify specific threats.
Rather than viewing the GDPR in a negative light, consider its regulations as a clear guide to keeping your clients’ trust and improving your cybersecurity. Contact us for more about cybersecurity and ensuring your business is GDPR compliant.
Read our full data compliance series here.
