On 25 May 2018, we woke up to inboxes full of less email spam. This was due to GDPR. There has been much talk about these rules and regulations, but many companies still don’t understand that it applies to them. Many have been going about their business, not realizing they are violating one of the most important pieces of privacy legislation of all time. So what is it? And how can you make sure you’re compliant?
What is GDPR?
The General Data Protection Regulation was created by the European Union to enhance the privacy and protection of citizens in the digital realm. It covers data protection, privacy, and the transfer of personal data outside the EU and EEA. The aim is to give back control to the user and to simplify the regulatory environment.
It provides an update to the Data Protection Directive, created in 1995. A revision was necessary due to the vast advancements in technology and the use of the internet. This Directive applies to the whole European Union and European Economic Area. Each state then transposed it into national law.
What’s its purpose?
The main purpose of the GDPR is to provide protection to individuals. This includes their fundamental rights and freedoms such as the right to the protection of their personal data. The right to a private life is enshrined in the European Convention on Human Rights, this includes their ‘life’ online.
The EU identified there was a need to harmonize data privacy laws across the bloc as well as being in line with the current situation.
To whom does it apply?
The GDPR applies to any individual or organisation that operates within the EU. It also covers any entity that is based outside the EU but that offers services to businesses inside the EU or to EU citizens and residents. This means that even if you’re based in North America, China, Australia or South Africa, but you have one EU client, you are bound by GDPR.
Rather than wondering whether it applies to you, it’s a safer bet to assume it does. Putting in place policies and processes based on the provisions of GDPR protect you legally and form solid best practices. Furthermore, GDPR compliance will help you in being compliant with other laws and regulations for privacy in other locations.
The legislation also refers to two responsible entities, data processors and controllers. A controller is a person or entity which determines the purpose and means of processing personal data. A processor is a person or entity which processes the data on behalf of the controller. Processors are obliged to maintain comprehensive records on personal data and how it’s processed. Controllers are required to ensure all contracts and agreements with processors are GDPR compliant.
If in doubt, consult with Fast Offshore to understand exactly which provisions apply to you and your business. We can also guide you on how to implement processes to protect yourself from penalties.
Pillars of GDPR compliance businesses need to be aware of
As a startup or small business owner, you may not have even considered GDPR. Setting up a website, marketing, letting people know about your business- this is all part of the process. But GDPR impacts exactly how you can and should do these things.
There are six main pillars of GDPR that can help businesses understand their obligations.
You should only collect the information that you really need. There is no need to gather, process, or store any personal information that is not required for the functioning of your business.
GDPR lays down how long you can store information on each individual. It also allows for the right to be forgotten and for people to know what data you hold on them. You are obliged to delete it, on request, and without any penalty.
Lawfulness, fairness, and transparency
You must act within the law at all times, be transparent, and honest with the data subjects.
Integrity and confidentiality
You are obliged to take care of the data you hold, including keeping it secure and safe. Should there be a breach, you must tell the individuals and advise them of how you will rectify it.
You must be accurate with the collection and processing of data and the information you give to individuals.
Your reasons for collecting the data are limited to a handful of points laid down in the GDPR.
These are just the basics of what GDPR requires. It’s always best to check with Fast Offshore regarding your obligations.
Consequences of non-compliance?
Compliance with the GDPR isn’t optional. Not only do authorities make sure it’s adhered to, but consumers are increasingly more aware of their rights.
Cases of non-compliance incur fines of up to EUR 20 million, or 4% of the global turnover of the previous year. Note that the turnover includes any other linked companies, not just the offending entity. Additionally, civil and criminal charges can be filed in some cases under national laws.
To date, the European Union has imposed fines of EUR 272.5 million, more than half of which were in 2020. This shows that regulators are getting more serious about infringements on people’s privacy.
But it’s not just financial and legal penalties that you have to worry about. Reputational damage caused by violations and breaches is vast and hard to undo. Once you’ve been tarred as someone who ignores GDPR, there is little you can do to save the situation. Simply put, the consequences of non-compliance are not worth the benefit of any violation. Compliance with GDPR should form an essential part of your company compliance policies.
Contact Fast Offshore
It’s impossible to explain the full scope of GDPR in just one article. It’s a complex piece of legislation that requires expert understanding and execution. Fast Offshore can help you get compliant and stay compliant, whatever sector you are working in.
Follow us on Social Media!