In today’s day and age, the term “GDPR” might just be one of the most popular terms in everyday use, particularly in many business settings, but not necessarily for positive reasons. The introduction of the “General Data Protection Regulation (GDPR)” by the European Union in April of 2016 made waves across industries all over the world, remnants of which are still being felt to this day. These waves only grew larger following GDPR’s implementation in May of 2018. This is because it has replaced existing EU data protection laws in an effort to apply stricter data privacy rules across Europe. Businesses all over Europe, and the world for that matter, have had to reshape the way in which they approach data privacy with regards to EU citizens. Some practices and measures previously in use are no longer permitted, meaning that businesses have devoted countless hours and resources into implementing new internal and external procedures, in order to abide by the new rules. However, even though a year has passed already, there are still instances where businesses are not complying with GDPR.
Obligations on Businesses
As slightly touched upon above, businesses have had to alter the way in which they store, manage, process and generally deal with an individual’s personal data. The scope of this personal data and what it encompasses is so broad that it is no wonder that businesses have had to alter the way in which they operate in order to be compliant. To illustrate, some businesses have already begun using methods such as referring to an individual during email correspondence by using their initials rather than their full name. This way, in the event that an individual invokes his right to request to see all of the data relating to him which has been gathered, the business in question will not have to shift through thousands of emails to look for any and all correspondence which refers to this individual by name, since initials were used, thus creating enough ambiguity that a person cannot with certainty claim that it refers to any one individual. This saves the said business a great deal of work and man hours. However, procedures such as these which aim to change the way in which a business’s employees, and even associates, operate can take time and can even be rather expensive. A business which employs hundreds of employees will inevitably find it more challenging to implement a change such as the one given above as an example, since there will be more room for mistakes, misunderstood instructions and vigorous training sessions in order to create cohesion between the business’ limbs. This is just one of the many challenges that GDPR has brought to the table.
A fact that can go overlooked is that GDPR is tailored to protect the personal data of EU citizens. This means that even non-EU based Companies, which offer their services to EU citizens, have had to conform to the ways of GDPR, so as to avoid getting fined by the EU. It is for this same reason that you may have noticed that the past year has had an influx of websites requesting that you either accept cookies or manage them, before being able to access the site in question. This is because of the new stringent requirements of GDPR making it mandatory that users (i.e. data subjects) are made aware of exactly what kind of personal data of theirs is being processed and why.
Business-to-Business (B2B) Issues
The GDPR has been designed in such a way that its reach extends as much as possible. What this means is that any business, regardless of where its base of operations is located, will be subject to GDPR’s requirements if they provide goods or services to EU citizens. However, this also means that if a business has associates with which it provides these goods or services, then that associate must be GDPR compliant as well. For example, if a person were to order a product from Amazon, with expedited shipping being undertaken by DHL, for the purposes of GDPR, both Amazon and DHL must be GDPR compliant. This is because DHL will get access to personal data on a data subject (such as the customer’s name and address) which must be safeguarded. So, if DHL were to be in breach of GDPR with regards to the customer’s data, they would not be the only ones liable to a fine from the EU; Amazon can still be liable for exposing this personal data to a business that is not GDPR compliant.
For this reason, businesses are increasingly hesitant as to who they do business with, since in doing so, they could be exposed to liabilities. Some businesses have even gone so far as to cut ties with associates which they believe might expose them to liabilities. Given the fact that under GDPR the EU can impose fines of €20 million or 4% of the business’ annual revenue, this reaction from businesses is not unwarranted. In fact, Google has begun cutting ties with their smaller third-party associates with regards to ads, since these smaller third-parties generally do not have the means of being fully GDPR compliant when handling users’ personal data. It is difficult to blame Google in this instance given the fact that the search giant was issued a €50 million fine at the beginning of the year for failing to comply with GDPR.
What can a Business Do to Ensure it is GDPR Compliant?
The most important thing for a business to do is to acquaint itself with the specific rights that GDPR provides EU citizens with, thus knowing what the main requirements and areas of concern are. While the Regulation is quite extensive, the main rights that it provides can be narrowed down to eight:
- The Right of Access – an individual can request access to their personal data which is stored and inquire as to how that data is being used;
- The Right of Deletion – an individual has the right to have their stored personal data deleted if they are no longer a customer or if the business no longer has use for this data;
- The Right of Data Transfer – an individual can request to have his data transferred from one service provided to another;
- The Right of Notification – in the event of a data breach from the business’s side, the individual has the right to be informed within 72 hours of the moment when the business became aware of the breach;
- The Right to be Informed – an individual must be informed about the gathering of data prior to the gathering having taken place, and would usually have to opt in in order for the data to be gathered;
- The Right to have Information Corrected – in the event that the data gathered was not done so properly or there has been a change and is not accurate, the individual to whom this data pertains can request that it be updated;
- The Right to Restrict the Processing of the Data – an individual can request that his data is not used for processing, meaning that it will still be collected, but will not be used;
- The Right to Object – an individual has the right to cease the processing of their data for direct marketing purposes. This right must be made clear to the individual at the beginning of any communication.
Knowing what an individual’s rights are will not automatically make a business GDPR compliant, but it will help it get there. The business in question still needs to ensure that it has taken sufficient security measures in order prevent a breach (from locks on drawers to firewalls and encryptions) and that the data it has gathered, has been done in a manner permitted by GDPR. Then, the business will need to make sure that it can limit, as much as possible, any external effects, such as the actions of associates. This is where a Data Protection Officer (DPO) proves to be invaluable. While smaller businesses do not generally require a DPO, it is nonetheless good practice to have one, whose sole purpose is to ensure that the business is as GDPR compliant as is feasible and realistically possible under the circumstances. This would greatly decrease the chances of getting fined for non-GDPR compliance.
Even though a year has passed since GDPR’s implementation, businesses are still working towards becoming fully GDPR compliant. This can be attributed to the aforementioned far reaching scope of the Regulation. At the same time, there are so many variables affecting a business which need to be considered, meaning that not only will money play a major factor, but so will time. It takes a substantial amount of time for a large business to ensure that the changes it has implemented have been done so efficiently and that things are running smoothly and in cohesion. The goal for businesses now is not to reach this level of GDPR compliance, so much as it is to reach this level of GDPR compliance without incurring a large fine along the way.
This Article and any content forming part of it is only intended to provide a guide on the subject matter and does not constitute legal or any other advice. If professional advice is required, G.C Charalambous & Co LLC would be glad to assist you in this respect.