The Dangers of Not Documenting Your GDPR Compliance
Headlines continue to publish bad news for companies who have not ensured compliance with GDPR (General Data Protection Regulation) since the deadline passed back in May this year.
Shockingly, recent figures show that near half the majority of companies are still in the implementation phase and almost a quarter are yet to start their GDPR compliance.
According to Reuters, regulators are ready to exert their powers by handing out fines and even temporary bans on companies that breach a new EU privacy law, with the first round of sanctions expected by the end of the year.
If your business is still not GDPR compliant, what does this mean for you? Well, to put things into perspective, you could be risking your business. This is due to the sizeable fines regulators can hand out and the sanctions they CAN and WILL impose.
This blog will explain why you need to ensure your website is GDPR compliant, the risks of not having your GDPR policies in place, and then the good bit - how you can become GDPR compliant before time runs out!
- GDPR: The Recap
- The Dangers of Not Having GDPR Protection Documentation
- How Can Your Website Be GDPR Compliant?
- Want GDPR Compliance Now?
GDPR: The Recap
The deadline for the General Data Protection Regulations was well documented before its arrival. While it was heralded as the biggest shake-up of data privacy laws in more than two decades, it seems that too many businesses have become complacent - and to this, we shake our heads.
If you’re still not familiar with GDPR (we hope you are), not sure what it means, or are still baffled by the term, here is a quick reminder (or get the full GDPR spec here) of what the General Data Protection Regulation is:
'The GDPR (General Data Protection Regulation) replaces the Data Protection Act 1998 in the UK and will be the new law governing data protection rights for all EU citizens and the businesses that control and process their data.’
GDPR addressed the inconsistent approach to data protection laws that existed amongst EU member states. With the compliance, there are new responsibilities for data controllers and processors, including requirements for GDPR policies and how to handle high-risk projects, breaches, and data requests.
It focuses on protecting the rights of two parties:
- Individuals – by clarifying the rights of people to control how their identifiable contact information is controlled and processed by public and private sector organisations.
- Businesses – by providing clear guidelines on how companies can comply with EU data protection laws (as opposed to UK-specific law) in a common marketplace.
Article 5 of GDPR requires that personal data shall be:
a) Processed lawfully, fairly and in a transparent manner
b) Adequate, relevant and limited
c) Accurate, up to date and errors rectified or deleted
d) Kept for no longer than is necessary
e) Processed in a manner which ensures adequate security
So, to set things straight, the General Data Protection Regulation is of huge IMPORTANCE to your business. Without a doubt, the protection of customer and partner data is essential for the survival and success of every organisation, but time really is running out and the journey to GDPR compliance is a path your business must undertake.
The Dangers of Not Being Compliant with GDPR
When it comes to data protection, Elizabeth Denham, UK Information Commissioner of the ICO (The Information Commissioner’s Office) explains:
“Small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers, But small organisations often process a lot of personal data, and the reputation and liability are just as real”.
The dangers (or consequences) of failure to become GDPR compliant is the focus of this blog. Without the right GDPR compliance systems and processes, your business can incur penalties and complaints.
Since May, regulators and enforcers have been deluged with complaints about GDPR violations and breaches. While it was said that authorities initially lacked the powers to fulfil their GDPR duties, and (don’t breathe a sigh of relief yet), European Data Protection Supervisor Giovanni Buttarelli makes clear:
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum”.
Although authorities might not be ready to investigate all violations and breaches, this doesn’t mean that any breaches won’t be just as damaging to your organisation and its ability to continue trading effectively and immediately.
Dauntingly, the regulation lays out the maximum penalties which can differ depending on the type of violation - we’re talking sizeable figures. Because of GDPR’s serious matter, it should not be ignored. The penalties for non-compliance are eye-watering.
The maximum fine amount for failure to be GDPR compliant or infringement of certain articles of GDPR is €20,000,000 (which, at the current exchange rate at the time of writing, is equal to £17,824,159) or up to four percent of a company’s annual ‘global turnover’ for the preceding year, whichever is greater.
Other fines carry penalties of €10,000,000 or up to two percent of a company’s annual ‘global turnover’, whichever is greater.
The legislation is not just about the fines and punishments. The risk of not meeting GDPR requirements can be cost prohibitive to your business in other ways. Cyber-attacks can cost up to 2.35 million per incident.
In recent months, the ICO issued Equifax Ltd with a £500,000 fine for failing to protect personal information. Take a look at the news and you’ll see story after story just like this one.
As you can probably imagine, for small and medium-sized businesses, this can mean an abrupt end to your trading. The punishments (or threat) are designed to communicate the importance of your business meeting GDPR compliance.
How Can Your Website Be GDPR Compliant?
Without a doubt, becoming GDPR compliant and having the correct GDPR website documents and policies in place is essential. There is a need for companies, no matter what size, to recognise the value of their data and be aware of the resulting penalties.
So, how can your business shake its non-compliance with the General Data Protection Regulation?
We recommend making your website GDPR compliant and GDPR friendly with immediate effect.
We believe there are two key factors to GDPR regulation: keeping customer data secure and making marketing communications as clear as possible.
Here are six steps, a sort of basic guideline, you need to follow in making sure you and your website for your business are compliant with GDPR.
- Analyse and review your company’s current use of data. Are you collecting data and if so why? Is that data secure or are you sharing it with anyone? Asking these questions about your data will uncover whether you have anything to worry about with GDPR.
- Understand the data you're collecting and the rights of people you are collecting it from. This includes GDPR giving people the right to request a copy of their personal data held by your business.
- Report data breaches. Organisations have just 72 hours to gather all related information and report data breaches to the relevant regulator.
- Make sure whenever your website is asking for someone’s personal data it is clearly asking for consent. This is vital once your business becomes GDPR compliant.
- Finally, understand if you are a ‘data processor’ or ‘data controller’. A ‘processor’ processes data on behalf of the controller. A ‘controller’ decides what type of information gets collected.
Want GDPR Compliance Now?
If you don’t want to waste any time and get GDPR compliant right now, you can purchase our GDPR Protection Pack that includes all of the GDPR templates your website, and business, will need to become GDPR compliant.
In the pack, you will receive:
- GDPR Data Protection Audit
- GDPR Audit Guidance Notes
- Legitimate Interest Assessment (LIA)
Employee GDPR Protection:
- GDPR Employee Data Protection Policy
Website GDPR Protection:
- GDPR Data Protection Policy
GDPR Security Policy:
- GDPR Data Security Policy
Subject Access Request (SAR):
- Subject Access Request Form
SAR Initial Replies:
- Fee and/or Additional Time
- Receipt of ID
- No Data Found
2018 is the year of GDPR and heading into 2019 with the thought of GDPR compliance hanging over your head or businesses, like yours, who think they don’t need to comply could face unprecedented problems.
But we can’t state enough, time is of the essence to get compliant. Is it really worth taking the risk? Find GDPR compliance before ICO finds you.
When it comes to GDPR, don’t risk it, indications are that 2019 is the year of the fine. Our simple GDPR Protection Pack is the most efficient way to become compliant.