GDPR is on its way, but what is it? You’ve probably at some point or another come across something about the Data Protection Act or some other form of regulation that protects personal data from being misused, sold or otherwise tampered with or exploited. It’s often the case that when consumers have disagreements with companies and service providers they attempt to ‘quote’ the data protection act or something similar as a threat against the business they are in conflict with. All too often customers misunderstand or misuse the terminology and think that by simply invoking the legislation that the big corporate entity will automatically back down or grant them their request.
The truth is that in the last few years compliance in Ireland and EU wide has been a big focus for so many business and the amount of money and effort they put into ensuring that they are adhering to all the rules and regulations is massive. There are legitimate times when a consumer should be able to request whatever information a business has about them, but for the majority of examples that I have come across, the general public seems to think that it is a piece of law that’s designed to allow them to have unfettered access to the company and their records.
It’s true to say that the average person may well be aware of data protection, but few will know the ins and outs of it, and whats equally true is that most company employees may have some cursory training in what they need to know when challenged by a customer, but in general they assume that its someone else in the business who is responsible for ensuring that what they’re doing is up to the standards. Well from May of 2018, people are going to hear a lot more about data protection and in particular GDPR.
So what is GDPR and why should I care? Well first and foremost the initials stand for General Data Protection Regulation and in its simplest form it is a European Union wide framework around data protection that is designed to make the standards across those countries the same as well as ensuring that the consumer has control over their own data. Sounds like a good thing for all concerned right? Well, yes, the idea is that customers will be have more security when they give any personal information to a company and the company will have to follow strict guidelines as to what they can and can’t do with this data.
There are many reasons why this is an important step in regulating and not only ensures that customers are protected, it also means that information coming into and leaving the EU will be regulated and secured also. In a nutshell it means that even if a company is based outside the EU they will still have to protect your information if you interact with them in that zone.
There are huge challenges ahead though at the same time. Many businesses may believe that they are not going to be effected by these new regulations, but the truth is that virtually every business will be touched by this and it will have repercussions for the bottom line, but also, notably for every employee of that business. Lets look at some of the things to be aware of.
As a business you will have to ensure that any and all customer information is protected from misuse as has always been the case, but from May onward you will need to categorize the types and levels of information you gather from customers from name and e-mail address to notes and correspondence to and from them. You will also need to have clear and accessible guidelines as to who can access that information within your business and outside it. Your company will be required to show the structures in place for keeping data secure in physical copies on site, digital copies and cloud based storage.
While this may seem like everything that you’d expect from data protection, the EU is bringing in stricter rules about the data storage. For example, as an employee of a business you will be responsible for making sure that you protect any data that you have access to. This means not leaving notes on your desk, ensuring documents are correctly destroyed and shredded as needed, but more than that you’ll also be restricted as to how you manipulate that data and transmit it.
It amazes me the number of businesses who still use personal phones, e-mail addresses and other unsecured systems for sending and receiving customer information. This is about to change. Strict rules about keeping mails on secure servers for example, and the fines are impressive to say the least if you are discovered to not be compliant. In fact the EU will have the ability to fine a business up to 4% of the company’s annual turnover, so this is not something to be taken lightly.
I’m conscious that I’m very much sounding like the voice of doom and gloom, and there is an upside to all of this from a compliance point of view. These regulations are strict but very straightforward. Sure it’ll take a lot of businesses a while to get up to speed with them, but once they are they can rest assured that they are now compliant EU wide which will mean that smaller businesses can compete as they are under the same rules as larger ones. So this is a plus, but with fines that could cripple a company it’s a steep learning curve.
As a quick example of how employees can directly affect this, I still regularly talk to people from businesses who often take their work home with them in the evening or weekend. Nothing wrong with that in theory, but once they mail the information to their personal e-mail or keep any documents on their own device the chances are they are in breach of the GDPR act, so while there are easy rules to follow it is the responsibility of every employee to make sure they are compliant.
This is a big topic for businesses going forward and I wanted to avoid going into too much detail or using any jargon, but if you think that GDPR effects you, and chances are it does, I’d highly recommend checking out the following link: http://gdprandyou.ie/