The simple answer is that every company who processes personal data about people in the European Union (EU) is affected by the General Data Protection Regulations (GDPR).
The regulations came into effect in May 2018. A wide-ranging set of legislation designed to protect the privacy of individuals in the EU and give them control over how their personal data is processed, including how it’s collected, stored and used.
It is not something that businesses – of any size, should simply treat as an inconvenience. It has been created so that companies are better able to cater to the needs of their customers, whilst formulating universal best practice protocols to aid information management policies, procedures and technologies. This will minimise possible data loss incidents as well as data breaches.
Any company, big or small, has to comply with the regulations regarding the secure collection, storage and usage of personal information. What’s more, violations will be met with fines.
The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
Both the GDPR legislation and the UK’s Information Commissioner’s Office are responsible for enforcing data protection laws which unequivocally apply to everyone.
There seems to be a lot of confusion over Article 30 of the GDPR, which in the final draft states that there’s a difference between the types of records a company should keep depending on whether they’re an SMB or large enterprise.
Those companies with fewer than 250 employees are required to hold internal records of processing activities if the processing of data could risk an individual’s rights or freedoms, or if it pertains to criminal activity.
For those with more than 250 employees, more detailed records need to be kept. These include the name and details of your organisation, the name of your assigned data protection officer, the reasons for processing the data, a description of the categories of data being processed, details on the recipients of the data, how long it will be retained, details on transfers outside of the EU, and an overview of the security measures your organisation has put in place.
However, it’s possible that you will need to disclose all that added information if you’re an SMB, as you’re only exempt from doing so if you only process EU residents occasionally.
GDPR explicitly states that SMBs need to provide the same level of detail of processing activities as a large enterprise if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data… or personal data relating to criminal convictions and offences referred to in Article 10”.
The two central objectives of GDPR are:
1) give citizens and residents back control of their personal data and
2) simplify the regulatory environment for international business by unifying the regulation within the EU.
Overall, the legislation has been introduced to encourage companies across the EU to think seriously about data protection. As well as penalties, it’s worth remembering that individuals can sue you for compensation to recover both material damage and non-material damage, like distress.