Digitalizemenow offers small and medium size businesses bespoke web designs and fully integrated management of their digital marketing platforms. As such, we’re up to date with new developments in anything digital.
Over the last few months, the recurring question ‘What is GDPR’ has been raised from clients, friends and even students discussing its impact on Irish businesses at the local bus stop. The GDPR has only just come into force and already Max Schrems files first case under GDPR against Facebook and Google. So the GDPR definitely needs to be taken seriously!
So, with that in mind, I thought I would attempt to write a blog covering “some of the basic questions” posed recently, GDPR 101 if you like! This is mainly for the interest of small businesses.
Small businesses are exempted from hiring a full time data protection officer!
What does GDPR mean?
General Data Protection Regulation or GDPR is in force as of the 25th of May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
What does it do?
The GDPR emphasises transparency, security and accountability by data controllers and processors, while at the same time standardising and strengthening the right of European citizens to data privacy.
How does it affect small to medium enterprises?
While every business in Ireland must abide by the new laws, the GDPR, under Article 30, acknowledges that it is not feasible for small businesses to abide by some of the new legislation, which includes:
Businesses with fewer than 250 employees, not collecting a lot of personal data are exempt from:
1.hiring a full-time data protection officer
keeping formal records about company data processing methods
reporting minor data breaches as long as there is no risk to the rights of the people involved.
Small businesses will be accountable with any breaches and could pay up to 4% of their profits if a breach is proved. In a nutshell, if you collect personal details in relation to customers for your business then you must:
1.keep customer data details safe – i.e a good strategy is to make the manager in charge of using this data, don’t give everyone in your business access to it!
2.Do not use their information for anything other than what it was provided for.
3.If you have text, newsletters or the like, you must have a clear opt out button/notification
What data is included in the GDPR?
There are two main types of data under the GDPR: personal data and special category personal data.
Under the GDPR, personal data is data that relates to or can identify a living person, either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.
Organisations that collect or use personal data are known as data controllers and data processors.
Special category personal data
Special category personal data also known as sensitive data means personal data relating to any of the following:
·Racial or ethnic origin, political opinions or religious or philosophical beliefs
·Member of a trade union
·Physical or mental health or condition or sexual life
The processing of special category data is prohibited unless the data subject has given their explicit consent before processing begins or the processing is authorised by law, for example, to protect the interests of a data subject, to comply with employment legislation or for reasons of public interest.