GDPR is a European Union law that requires businesses operating in the EU to justify how certain data is collected and used.
Failure to comply with GDPR can profoundly affect a business, including fines, and in some cases, imprisonment.
In today’s blog, we will define GDPR and talk about the necessary steps to take if you have a business or plan to do business in EU countries.
In A Hurry?
● GDPR stands for General Data Protection Regulation.
● GDPR affects all businesses in the European Union and many companies outside of the EU that collect personal data.
● Personal data such as social security numbers, dates of birth, and most other personally identifiable information usually fall under GDPR.
● Failure to comply with GDPR can mean penalties such as fines or imprisonment.
What Is GDPR?
General Data Protection Regulation, also known as GDPR, was passed into law on May 25th, 2018.
The general points that GDPR include are:
● What companies can do with people’s data.
● How businesses collect and use personally identifiable data.
● How companies must justify everything, they do with your data.
While many think that GDPR is only for businesses operating in EU countries, it also covers non-EU countries with customers, or potential customers, residing in EU countries.
GDPR was enacted to help protect consumers from illegal or unscrupulous data collection practices.
Since previous data collection laws were passed before the proliferation of the Internet and smartphones, the passage of GDPR is meant to update and expand these protections in the new age of big data and data collection procedures.
While GDPR mostly focuses on consumer’s “personal data,” there are other factors to consider if you are a business based in the EU or have customers in the EU.
What Is Personal Data for GDPR?
Personal data that falls under GDPR means any information related to or can be used to identify a natural person, otherwise known as a “data subject.”
The most common examples of GDPR data include:
● Dates of birth
● Social Security numbers
● Phone numbers
● Email addresses
● IP address or location
● health data
Some not-so-recognisable data sets are also included in GDPR because they can be used to identify a person.
These relatively uncommon data points include information that is usually considered private and subjective like:
● Political opinions
● Eye colour
● Genetic data
● Other character traits
● Trade Union membership
● Racial or ethnic origin
Common Data Not Included in GDPR
According to GDPR legislation, there may be times when the requested data does not fall under GDPR because it may not be unique to the person.
For example, someone’s name may not always be personal data because many individuals share that same name.
However, when a person’s name is combined with other data like employment, phone number, or permanent address, it squarely falls under GDPR.
It is up to the business’s compliance team to determine the context in which the data is collected.
What Does GDPR Mean For Your Business?
Under GDPR, businesses must use stricter policies to collect consumer’s data and what they do with said data.
A business must collect data using “opt-in” measures that allow the consumer the choice to give their information or not.
These measures usually include adding disclaimers about GDPR when collecting data.
Companies must also implement data collection policies that ensure consumer data processing is limited to what is necessary and only keep the data for as long as it meets its purpose.
Because of GDPR, many businesses choose to mask their legally compliant data with these new regulations.
Two common forms of data masking include:
Data Encryption – this process obscures information by replacing identifiers with something else.
The data is then only accessible by “approved users” who can see the full data set.
Data Pseudonymization – this process also masks data by replacing identifying data with artificial identifiers, but its use is also limited compared to data encryption.
What is GDPR Conclusion
Many businesses fear that they are out of compliance with GDPR and will face stiff penalties.
While companies as large as Google have been ordered to pay massive multi-million dollar fines, the procedures for maintaining GDPR compliance can be made quite easily.
With the help of accounting consultants like Dania Accounting, this move can be relatively painless.
Dania Accounting offers consultation on GDPR compliance related to data retention, data requests, data loss, and data protection.
We understand how GDPR works and will ensure that you minimize risk when it comes to compliance.
If you are ready to discuss your GDPR compliance plans, navigate our Contact Us page, or schedule a consultation call with us.
We look forward to helping you in all areas related to GDPR compliance.