GDPR, which stands for the General Data Protection Regulation, came into effect on May 25th 2018, and affects businesses across the UK and the world. Companies that store and process the personal data of any EU citizen must now become GDPR compliant or face a fine of 4% of their annual turnover or €20 million—whichever is higher.
Companies are now scrambling with questions on what these data protection laws entail and how to become GDPR compliant, but luckily for you, we’ve got the answers.
Our GDPR toolkit goes into total depth on how your business can become GDPR compliant. In the meantime, this blog post will give you a brief idea of how GDPR relates to your B2B company, to give you some guidance and calm among all this GDPR chaos.
So, here goes...
What is GDPR?
GDPR seeks to govern all personal data protection rights of individuals in the EU. These laws impact businesses across the globe who store and process the data of EU citizens, and virtually all industries, including recruitment, legal, B2B and so on, are affected.
Into The Nitty-Gritty...
Our GDPR series covers much of this in greater depth, but we’ll recap a little here.
In order to become GDPR compliant your business must provide a legal basis for storing and processing any personal data. Under GDPR, companies are treated as individuals, which means that you must become GDPR compliant with the ‘personal data’ of any companies and individuals you have.
- Personal data is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, public or professional. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
You can choose one lawful basis among six, which include:
- Consent—the individual has given clear consent for you to process their personal data.
- Contract—the processing is necessary for a contract you have with the individual, or because they’ve asked you to take specific steps before entering into a contract.
- Legal Obligation—the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital Interests—the processing is necessary to protect someone’s life.
- Public Task—the processing is necessary for you to perform a task in the public interest, and the task has a clear basis in law.
- Legitimate Interests—the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
How Can I Become GDPR Compliant?
We’ve set out eight stages of action you can take to help you become GDPR compliant...
1. Spread The Word
It’s vital you spread the word and make sure everyone across your organisation is aware of GDPR and its ramifications. It’d be a mistake to think that only your top decision-makers need to know about GDPR. GDPR affects both the data that you store and process, and your own data, along with your employee’s, that others store and process.
The more educated everyone is about GDPR, the less likely someone will accidentally break one of GDPR’s many complex laws. For example, if you choose to pick consent as your lawful basis, you must ask your contacts for their consent and include something like an opt-in form or button they can click to show their consent. You cannot cheat this by asking your contacts if they’d like to opt-out instead. If someone makes this simple mistake, then your business will be non-compliant, and you risk paying those hefty fines.
2. Documentation Is Key
Here lies the name of the game. GDPR is all about transparency around the personal data you process and store. Documenting everything about the data that you hold—including where your contacts came from, who has access to the personal data you store and what lawful basis you’ve picked to justify that data storage—will help ensure that your entire organisation is GDPR compliant.
We recommend that you conduct an information audit throughout your entire organisation. You can start this audit by asking yourself the following questions:
- What data does our company hold?
- Where does our company store this data?
- What is our data used for?
- Who has access to our data?
3. Update Your Privacy Notice
You must update your privacy notice with your GDPR compliance. This essentially means updating your notice with all the information you’ve covered under your information audit. A privacy notice should thus include information on:
- Who you are.
- What personal information you hold.
- Where the information was sourced.
- What purposes the information will be used for.
- How long it will be held.
- Which legal basis you’ve picked for storing and processing personal data.
- The explanation that any individual has the right to complain to the Information Commissioner if they believe there’s a problem with how their data is being handled.
4. Protection Is Priority
GDPR is primarily concerned with protecting the personal rights of individuals across the EU, which is why it’s been put in place. The new GDPR data protections laws replace the previous 1995 Data Protection Directive, which was outdated in its approach to protecting personal data because it couldn’t keep up with the rapid technological advancements of the modern age.
All of your contacts in your database have the right to see, correct, restrict access to or remove their information altogether from your company. This means that, if a contact emails you asking for their personal information to be removed from your database, under GDPR, you must comply.
Ensure you have steps in place to make this as simple as possible. You could include an email address they can contact if they’d like their information to be removed from your company, or put a section on your website outlining how they can remove their information themselves.
We’ll say it again: transparency is key. Although the loss of a contact may hurt, it won’t hurt as much as those hefty GDPR non-compliant fines!
5. Detect, Report and Investigate
The security of your subjects’ data is a huge part of GDPR. In case of any serious data breaches, you should have procedures in place to detect, report and investigate the perpetrator. Some other security measures you’ll want to oversee are:
- The strong encryption of personal data records.
- Ensuring confidentiality is maintained, as well as the availability and reliability of data processing systems.
- If an incident occurs, being able to restore personal data in a swift manner.
- Having a procedure in place to regularly test the effectiveness of your security measures.
6. Choose Your Officer
Although all your employees should have basic knowledge about GDPR, you’ll need to assign someone in your organisation the title of data protection officer (DPO). This individual will be responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
GDPR actually calls for the mandatory appointment of a DPO for any company that processes and stores large amounts of personal data.
The DPO’s responsibilities, as outlined in GDPR Article 39, include but aren’t limited to:
- Training staff involved in data processing.
- Educating the company and its employees on important GDPR compliance requirements.
- Carrying out audits to ensure compliance and address potential issues proactively.
- Being the point of contact between your company and GDPR Supervisory Authorities.
- Monitoring the performance and providing advice on the impact of your data protection efforts.
- Informing data subjects how their data is being used, including their right to have their data erased from your database, and what measures your company has put in place to protect their personal information.
7. Reduce The Risks
Data protection impact assessments (DPIAs) help organisations identify, assess and decrease the privacy risks involved with data processing activities. The GDPR outlines that a DPIA must be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.”
A DPIA should essentially be conducted for any new major project which requires the processing of personal data. Your DPIA should:
- Describe the context and purpose of your processing.
- Assess necessity, proportionality and compliance measures.
- Identify and assess the risks to individuals.
- Identify any measures you take to lessen those risks.
8. Make It Known!
GDPR is such a complex issue that, once you have become GDPR compliant, you shouldn’t let all that hard work go to waste! Update your website and email all your contacts telling them that you’re fully GDPR compliant. Those who later come into contact with your organisation can then rest assured that their data will be stored and processed safely, which will encourage business between you.
With your compliance, GDPR will only add to your brand image. So take advantage of this golden opportunity!
We hope this blog gave you a little more information on how to start becoming GDPR compliant. If you’d like more information about the very complex laws surrounding GDPR and how you can become fully compliant, then download our free eBook The GDPR Toolkit for Business.