GDPR

GDPR and its effect on your business

| 24-10-2017 | treasuryXL |

As if the finance industry is not already facing enough challenges swimming though the sea of regulatory acronyms – BASEL iii, EMIR, MIFID ii, SOX, KYC etc. – a new directive is due to come into force on the 25th May 2018, namely GDPR.

GDPR (General Data Protection Regulation) is an EU directive concerning personal data of EU residents that is held by companies. It is intended to give EU residents more control over their personal data by dictating how that data is held by companies. Any data that could be used to determine the identity of an individual must comply with GDPR. Furthermore the definition of personal data has been expanded from the usual name and address information to including such things as IP addresses, cookie data, photographs, minutes from a meeting where people are named etc.

The law states that any company that stores or processes personal data about EU citizens within EU states must comply with GDPR. Main criteria for compliance include:

  • A presence in any EU country
  • No presence in the EU, but processes personal data of EU residents
  • More than 250 employees

At first glance most small businesses would be exempt but, there is a provision in Article 30 that shows this is not completely true. The following explanation has been externally sourced:

The only time the articles allow concessions for organisations with fewer than 250 employees is in Article 30 – Records of processing activities. Most organisations will have to maintain a record of processing activities that contains the name and contact details of the controller, the reason for the processing, a description of the type of personal data or category being processed, how long the data will be kept before it will be deleted, and some other requirements.

 Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories. Therefore, a company that processes data on a regular basis or processes special category content such as racial, political or genetic (and others listed in Article 9) material, even if quite small, will not be excluded from this requirement.

Source: https://www.fsb.org.uk/first-voice/act-now-to-comply-with-new-gdpr-rules

Even sole traders hold data, not just of other companies (trading partners) but also of individuals. As a sole trader it is possible to think that the law does not apply to them, but a more prudent approach would be to review all data held. Data can be held in a myriad of locations:

  • Hard drives
  • USB sticks
  • Dropbox
  • Cloud
  • Evernote
  • Whats App

Having discovered all the data the you hold on others, it is then necessary to design a method to protect that data. Just applying a password protection to your computer is not enough – additional security can be provided by encrypting data.

The rights of the individual are clearly defined by GDPR – these include:

  • The right to be informed
  • The right to restrict processing
  • The right to refuse to become a data subject
  • The right to be forgotten
  • Data portability

The penalties for companies failing to comply with GDPR and failure to disclose data breaches include fines equivalent to 4% of global annual turnover for the preceding financial year or EUR 20 million, whichever is the greater.

What can you do to prepare for GDPR?            

All companies that handle client data have a duty to protect that data. That means you need to locate, identify, control and delete data if so requested by the individual. Furthermore, individuals have the right to know how and why companies are using their personal data and if that data is shared with any third parties.

This means starting with a thorough examination to find and identify all third party data that you hold and why. This data then needs to be examined and protected. Data should be held at 1 primary source – ensure data is not duplicated. Clients need to be informed of the data you hold on them.

Whilst this is a considerable challenge, there is a potential advantage to be gained by clients knowing that you are complying which could lead to a rise in the trust they have in you and your organization.

Remember – you only have about 150 working days left to implement!!