Internet privacy and security has very much been in the news in the last 2 years, whether in the form of various Facebook privacy scandals, issues surrounding government snooping or the much heralded (or lamented depending upon your viewpoint) GDPR.
Virtually anyone who has spent more than 30 minutes online will have seen the implications of GDPR in the form of the many pop-ups asking you to accept cookies. But what does all this mean for businesses? And how can you make sure that you are complying with these new laws?
GDPR stands for ‘General Data Protection Regulation’ and came into force on May 25th, 2018 affecting all the member states of the EU. It is an evolution of the previous Data Protection Act from 1998 and aims to help safeguard personal data, while holding businesses accountable.
What You Need to Know
While the nitty-gritty of GDPR is complex and beyond the scope of this post, the main thing that you need to understand, is that GDPR is about data protection. Prior to its implementation, there was no real punishment for the misuse of a person’s data.
This has now changed with companies potentially facing huge fines (up to 20 million Euros – or 4% of the company’s annual turnover) by the E.U if they are not transparent and ethical in their use of data held on individuals.
It goes without saying that if you run a business you now need to be GDPR compliant in order to avoid such penalties. This might mean making changes to your website, e.g. expressly requiring consent for the use of tracking cookies, as seen by the pop-ups you have accepted on websites you visit, to making serious substantive changes to system that collect sensitive data.
Essentially the issue revolves around the ownership of data – and what is and isn’t permissible for a company to do with that information. If a company collects data about shopping habits through a survey conducted in the street, then that is their information and they are free to sell it or use it as they see fit.
But how about companies that track your use of a certain app, that came pre-installed on your phone?
How about websites that store cookies regarding the products that you’ve looked at – then use this information in conjunction with third parties to ‘retarget’ you with relevant ads?
Facebook’s Cambridge Analytica scandal serves as a recent and pertinent example of how companies are still misusing data today.
Thus, GDPR makes it easier to know where that line is and to ensure that customers opt-in to that kind of data collection, rather than being expected to opt-out (which often includes locating a tiny settings option after reading through reams of jargon).
What This Means for Your Business
Virtually every company located within the E.U or providing goods and services to E.U citizens will be impacted in some way by GDPR, even if they’re not collecting personal data on an industrial scale like Facebook. If you have a website that displays ads for instance, then you are still likely to be collecting cookies and will need to comply with the implied terms of GDPR.
Systems that collect and transfer sensitive personal data such as HR and Payroll systems in particular will require special consideration. On the one hand companies will now need to have much more robust and secure systems for holding and transferring data such as salaries and banking details, on the other hand GDPR also strengthens employees right to view data on them and to be transparent.
Questions you need to ask yourself to determine whether you are being GDPR compliant include:
Did they give you express permission to use their data?
Does the data processing you are carrying out abide by GDPR rules?
Is the transfer of employee sensitive data secure?
Can employees readily and easily view the data you have on them?
GDPR is not prescriptive, it doesn’t offer solutions but rather the abstract goals you need to meet
So, what are the key steps you need to take?
Firstly, make sure that any payroll software or system you are using is compliant with GDPR. The best GDPR compliant systems will have this already built-in by being encrypted and secure, ideally using cloud based solutions rather than spreadsheets and email.
Likewise, consider staff training to help your employees properly understand the laws and what constitutes a data breach.
Similarly consider security. GDPR places greater emphasis on the importance of security and protecting the data that you are collecting. If you have not invested in security consulting for your IT systems, then now is a very good time to do so.
While this might all seem a little daunting, the truth is that compliance with GDPR will help you to provide a better service and to work better with your employees. And that is better for everyone.
Henry Lares is still early into his career as tech reporter but has already had his work published in many major publications including Tech Crunch and the Huffington Post. In regards to academics, Henry earned an engineering degree from Apex Technical School. Henry has a passion for emerging technology and covers upcoming products and breakthroughs in science and tech.