You'd have to have been living in a cave for the last 12 months not to have come across these four letters... GDPR.
The General Data Protection Regulation is a new EU ruling which in layman's terms enshrines the protection of personal data by law.
Our short guide to GDPR is for busy business people who need a quick summary of what it is, how it works and why it might affect them.
It matters to you if your company stores any data at all regarding your customers. Anything from their email address to their bank details falls under the GDPR and the penalties for breaking it are stiff.
The exact definition is as follows...
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
It's vague of course, but equally all-encompassing... basically if you have a way to reach your customer you need to adhere to the GDPR.
It goes further when describing sensitive personal information.
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.”
To stay on the right side of the regulation it is imperative that your IT staff and anyone with access to such data is fully aware of the regulation and how to stay compliant.
There are 6 sections you need to be aware of and they are pretty straightforward.
1: Data must be collected honestly and transparently.
Gone are the days of grabbing details on the fly. Make sure any methods you use to collect and collate data are obvious and visible.
2: Data must be collected for a legitimate reason
There's no room for capturing information you don't need and might like to use later for another project.
3: Data must be relevant
Ensure any data you do have is necessary for business purposes and lose anything above and beyond.
4: Data must be accurate and up to date.
Keep it in order and make sure it's correct.
5: Data must only be kept for as long as it's necessary and in a form which is removable.
No more can data linger forever on endless servers.
6: Data must be kept securely and protected from theft and destruction.
This is perhaps the most fundamental difference from prior legislation and basically means all data must now be encrypted.
The GDPR comes into effect in May which means you have barely two months to get your house in order and the penalties are going to be severe.
As it stands there are two tiers of fines for failing to adhere to the GDPR and the lowest of the two could still potentially cost firms Millions in fines. The higher tier has a ceiling of 100 million Euros and there is likely to be little in the way of leniency.
In short, never has data been quite so important. If you are in any doubts whatsoever about how the legalisation applies to your firm or department, it might be worth taking a good long look at the official GDPR educational portal.