This is a guest post by Erick Sabelskjöld. Thank you for your contribution and finally throwing light on GDPR!
GDPR the impact on your company?
According to Veritas, “The GDPR requires greater oversight of where and how personal data (including credit card, banking and health information) is stored. How this data is transferred and how access to it is policed and audited by organisations. GDPR, which takes effect on May 25, 2018, will not only affect companies within the EU, but extend globally, impacting any company that offers goods or services to EU residents, or monitors their behaviour. Some examples are tracking their buying habits, marketing and lead generation.
Studies show a staggering 47 percent of organizations globally have major doubts that they will meet compliance deadline.
Are you one the of the 47%? Maybe the following will help your company be better prepared!
GDPR who it applies to?
The GDPR will apply to you if your business is doing anything with data that relates to living people and from which you can identify those people. So basically every company, unless you only have 1 founder and work with and sell to robots and viruses.
What effect does GDPR play on marketing from supplier lists?
Before acquiring a contact list or a database with contact details of individuals from your supplier, your supplier must be able to demonstrate that the data was obtained in compliance with the GDPR.
For example, if the marketing list is acquired based on consent, the consent should have included the possibility to transmit the data to other recipients for their own direct marketing or specific activity you have obtained this for.
If the list provider did not receive consent and you use the list for marketing…. Then its on you and you will have to explain why you didn’t know the background of the list you were marketing too. Then of course the fines will follow, GDPR has zero tolerance.
You must also ensure that the list or database is up-to-date and that you don’t send communication to individuals who objected to the processing of their personal data for the specific activity you are using it for.
This is just for a marketing list! GDPR covers every aspect of “personal data” with in your business.
How is ‘personal data’ defined?
- A name, surname and home address
- An identification card number
- Location data obtained through an app on a mobile phone; and
- An Internet Protocol (IP) address
Processing personal data under GDPR!
- Personal data must be processed lawfully, fairly and in a transparent
- There must be specific purpose for processing data
- Personal data must be relevant limited and only for what is necessary
- Must be kept up to date
- Personal data must not be stored longer than is necessary
- Personal data must be kept secure at all times including accidental loss theft and damage
4 Staggering GDPR Statistics and companies:
86 percent of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business.
More sobering perhaps is the claim that nearly 20 percent said they fear that non-compliance could put them out of business.
44 per cent do not know what the GDPR is: that’s just under half of HR and payroll professionals are not aware of GDPR. Ultimately, we can presume that those respondents are not be taking essential steps to prepare for the deadline.
77 per cent HR and payroll professionals believe they are liable although
23 per cent either don’t think they are or are unsure as to their own liability.
Confused by all this GDPR? Your not alone!
One in four businesses in the UK say they have cancelled all preparations for the EU General Data Protection Regulation in the misunderstanding that it will not apply after Brexit. This would lead to even greater problems for the UK economy in the post Brexit.
Don’t worry….. It gets worse!
There is no grace period after 25 May 2018 either. Fines will be severe. Failure to comply could mean a fine of 4% of total annual worldwide turnover, or up to €20 million — whichever is higher.
It can happen to UBER it can happen to you “Uber data leak could have earned £17.75m fine under GDPR”
What Does the GDPR Mean for you and Overseas Businesses?
The GDPR means that companies all over the world, regardless of where they are based, will have to comply with the legislation’s laws on how user data about EU nationals is processed, gathered, and stored.
Compliance with the GDPR means companies essentially have to switch from an “opt-out” approach to an “opt-in” approach; rather than forcing users to opt out of having their personal data collected and stored, users must instead give companies their express permission with regard to virtually all aspects of an individual’s data security. This applies to everything from something as seemingly innocuous as automatically signing up users to an email newsletter to more wide-scale efforts, such as the pseudonymization of user data.
Do I Need to Hire a Data Protection Officer to Comply with the GDPR?
You may have a legal obligation to hire a Data Protection Officer (DPO) to ensure compliance with the GDPR. However, there are exceptions. You only have to hire a DPO if:
• Your organization is a public authority (i.e. a company that exercises control over the maintenance of public infrastructure or has broad powers to regulate public property)
• Your organization is engaged in large-scale systematic monitoring of user data
• Your organization processes large volumes of personal user data
Unfortunately, the official text of the GDPR as it stands today is unclear regarding the definition of “large-scale” data processing. However, there is some guidance, albeit somewhat limited in its scope.
How Stringently Will the GDPR Be Enforced?
“I only have a handful of email newsletter subscribers in Europe,” I can hear you say. “Surely I don’t need to worry about all this for just a handful of users?”
When the GDPR goes into effect in 2018, it will become one of the most robust consumer data protection initiatives in the world – if not the most. As a result, companies should expect the regulation to be rigidly enforced.
Although you may not be legally required to hire a dedicated Data Protection Officer, you absolutely MUST comply with the GDPR regulation if you collect, store, or process data from ANY EU nationals, regardless of how many. Failure to do so may result stunning financial penalties.
Startup statistics! Far from prepared!
Some 91% of more than 4,000 startup companies polled, mainly in the UK (48%) and France (13%), admit to collecting personal data, but most rank poorly in terms of readiness for the EU’s General Data Protection Regulation (GDPR), survey has shown.
Readiness score is from 1-10, 10 most prepared. The average readiness score was just 4.1.
Only 29% of startups encrypt their data
Only 34% have a data breach notification plan
Only 47% of startups polled by Mailjet ask for consent before collecting data
and only half have made it easy for customers to withdraw their consent.
How much does it cost to become compliant!
In terms of TrustArc’s GDPR research, focused on GDPR spending. Of the respondents, 83 percent expect their GDPR spending to top six figures, with 42 percent expecting spending to be between $100,000 and $500,000, 23 percent estimating between $500,000 and $1 million, and 17 percent looking at more than $1 million.
Broken down into organization size, 53 percent of companies with 500-1,000 employees expect to spend $100,000 to $500,000, while 23 percent of companies with more than 5,000 employees expect to be spending more than $1 million on GDPR compliance. The largest companies polled expect to spend somewhere in the range of $28 to $48 million.
Do you know GDPR isn’t just about your customers…
Many companies are focusing their GDPR efforts around their external data. They’re reviewing processes and systems to ensure compliance with customer’s new rights.
However, the new regulation also extends to the data you hold on your employees.
So as May 2018 approaches, it’s important to include HR and payroll in your planning too. They should have a permanent seat at your GDPR table, right alongside finance, IT and operations.
Are we all doomed by GDPR? No! We don’t have to be!
There can be many ways to help make your company better prepared! Stay tuned for the the follow up article that will offer easy to follow and easy fix guide for your GDPR compliance.
If you would like to receive information sooner and some personalised help with your GDPR compliance feel free to contact us.
We are also considering launching a workshop series to help companies fast track to better understanding and compliance.
Thanks again, Erick, for your contribution!
Still looking for your GDPR compliant recruiting solution?