It’s been nearly six years since the General Data Protection Regulation came into force in 2018. This marked the start of a new era for digital privacy.
This EU-wide legislation was created to protect consumers and to reflect the fact that the way technology is used today is quite different to the past. We live in an ever more connected world, and data is everywhere. It is generated, stored, sent and received by people all around the globe and increasingly by countless autonomous devices too.
So it has become necessary to put in place laws to protect the general public and make sure that when it comes to data privacy, personal rights are respected. To that end, the GDPR lays out the obligations Irish businesses have when it comes to handling customer data.
The penalties for not following the rules can be significant. For less serious infringements, you can be fined up to €10 million or 2 per cent of your global annual revenue, whichever is higher. For more serious infringements, you could be looking at fines as high as €20 million or 4 per cent of your global annual revenue, whichever is greater.
But just what are your obligations under this law, and how can you know if you’re fully compliant? What should you be doing? The GDPR apply to all businesses that process the personal data of EU citizens, irrespective of the business's location. Key principles include ‘data minimisation’, accuracy, storage limitation, and accountability.
So if you create, store or transmit data on the general public in the course of doing business, the onus is on you to make sure you’re doing that in a compliant way.
A good place to start is to know what data you already have, how it’s stored, and what new data you routinely collect. You need to know where your data comes from, how it's processed and who has access to it. A thorough data audit helps in understanding the data flow within your organisation.
Update your privacy notices to be clear, concise and transparent. Under GDPR, consent must be freely given, specific, informed and unambiguous. Ensure that your methods for obtaining consent meet these criteria.
All processing of personal data must be lawful, fair and transparent to the data subject. You can’t collect data for one purpose and then decide later to use it for something else the consumer didn’t consent to. Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Any data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, just because you ask a customer to fill out a form doesn’t mean you can ask for information on that form that’s not relevant to the purpose it was created for.
Data must be accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay.
You should store your data in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. It should also be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Be prepared to honour the rights of individuals, including the right to access, rectify, erase and port their data. Have procedures in place to handle such requests.
What would you do if you suffered a data breech? Do you know? It’s always a good idea to have a plan to detect and investigate a personal data breach. The regulations oblige you to report certain types of data breaches to the Data Protection Commission within 72 hours.
Depending on your data processing activities and the size of your business, it might be a good idea to appoint a DPO. This person will oversee your GDPR compliance and act as a point of contact for supervisory authorities.
It’s also important to remember that responsibility for your data lies with you, regardless of where that data is stored. So if you routinely use cloud-based services, perhaps for storage or while using productivity software that stores data remotely, it’s your responsibility to check those third parties are also GDPR-compliant.
Staying complaint isn’t a one-time task, any more than paying tax or filing a VAT return is. Solution: Stay informed about regulatory changes and continuously update your practices.
For more information on keeping your customers and your business data secure, chat with one of our V-Hub advisors.