On May 25, 2018, the European Union will begin enforcing a new law, called the General Data Protection Regulation (GDPR) governing how companies collect and store user data. All businesses with customers in the EU will be affected. Our UK special correspondant, Maeri Howard, explains what craft business owners need to understand about the new regulations.
+++++
Have you purchased an item online only to find that a few days later, out of the blue, you have been sent a newsletter from the company highlighting products that you might want to purchase?
Or found a tickbox buried at the bottom of a webpage of a product you are about to buy, which automatically adds a check to the box, allowing the manufacturer to keep your email on file for future use?
These types of misuse of your personal data have gradually slipped into our browsing experience so much so that once a week, I take the time to sweep my inbox of unwanted emails from companies that I never knew had my email address.
But later on in the Spring, all of this is set to change.
On May 25th, 2018, the most influential change to data regulation in over 20 years, will come into effect and even though this is a European law, GDPR, or General Data Protection Regulation, will affect “all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location”. Personal data isn’t just emails – it can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. So if your business is doing business with people from within the EU (and that includes Britain), there is a very good chance that it will affect you.
The basic context of the change has been driven by the fact that so much of the personal data we exchange is digital and this format has the ability to be abused or, in several recent high profile cases, stolen (Facebook and Cambridge Analytica is the most recent example) that GDPR was necessary to reflect this change. After four years of debates and preparation, GDPR gives the power to control what happens to your data back to the source – the owner of the data – and also heavily fines companies that don’t act to update their processes to fall within this new framework (the fines are 4% of a company’s international turnover or €20 million, whichever is GREATEST).
So what does that mean for your business and should you be panicking?
Well, the good news is that the GDPR recognizes that smaller businesses (which I am going to make a safe assumption that most CIA members are) require different treatment to large or public enterprises. In fact, Article 30 of the regulation declares that organizations with fewer than 250 employees will not be bound by GDPR – but there are also certain guidelines that still need to be followed. The biggest difference is that companies with over 250 employees are required to employ at GDPR Officer while smaller companies can self-assess and regulate. If you have less than 250 employees, the onus is on you to decide if you are storing and using data (also known as a data assessment) in a way which is deemed GDPR acceptable and if there is an “at risk” factor, than hiring an in-house Data Protection Officer to regulate would be prudent.
In talking to companies that fall well under the 250 cut off, most of the data that they hold is actually held by third-party or cloud software companies – MailChimp, PayPal, Google, Evernote, Canva (yes, images are included as data), Grammarly, Adobe – and these companies will be putting in place (if they haven’t already) safeguarding of your data (let’s be honest, your data is their bread and butter so it is in their best interest to ensure they follow the rules). It’ll be down to the software marketplace and payment provider to keep the customer’s data safe and secure. This reliance on third part compliance has made it easier by default to fall into line with the new regulation. If you are unsure if the software you use to obtain data is GDPR compliant, it is worth checking their individual website for the most recent update.
If you’re unsure as to how to proceed, the Information Commissioners Office has a data protection self-assessment survey to help you get ready for the GDPR. It is a bit of overkill for most small businesses but if you want to see what will be required for businesses of all sizes, then have a look:
+++++
Maeri moved to the UK from New York 25 years ago and now combines her degree in marketing, her role as a small business cheerleader, and her love of making to start a home-based craft business on a beautiful canal outside of Manchester, UK, called The Make and Do Studio. Maeri has spoken at various industry events about the changing face of creative businesses and how they can co-exist in a digital world. She also works with woman-owned small businesses to help them become more digitally confident. Find her at http://www.maerihoward.com/
Hmm, this is a little skimpy. I am in Germany and my internet provider, my domain host and others have started to bombard me with emails explaining what I need to do to comply with the new regulations. And that’s a lot. Let me be clear: I am a one woman show. Far below the figure of 250 you are naming and which only regards the GDPR officer (the smaller ones still need to make an assessment of what they collect, how/where it is stored and what could go wrong). People who use MailChimp for instance, need to download a contract from their website, sign it and return it to MailChimp. The same for those who use Google Analytics. Furthermore, you are obliged to get your website an SSL certificate. You need to tell people what you will do with the data you collect when they use your contact form or the comment section on your blog. You also need to explain in your privacy policy who collects and holds the data when you have social icons on your website. You have to explicitely state that it is not you and that you can’t access the data. However, it isn’t clear if the new law sees you as responsible or only the third party… So, I ended up taking legal advice. And this is exactely what all the emails you get about this topic say you should do.
Hello Jessica and thank you for your comment. Writing an article about GDPR as it pertains to *specific* countries requirements would be an onerous task and this article wasn’t intended to highlight what is required for each country.
While I appreciate, that in your German example, there are many layers of bureaucracy and paperwork to comply with GDPR, that might not be same for other countries. People who operate businesses in individual countries will have to consider what additional legislation is required and also include this as part of the process of ensuring compliance.
It would be interesting to hear other members experiences with regards to ensuring GDPR – it is similar to Jessica’s? Or are your countries requirements different?
Hi Maeri,
Thank you for your reply. Please note that I am not writing from a German perspective, but from a European one. What my Dutch and German internet providers, hosts as well as MailChimp are complying with, is the GDPR and not German or Dutch national law.
Cheers, Jessica
My apologies for my delay in replying – I have been busy teaching and haven’t had a chance to reply in full. I also wanted to ensure that my reply was written in a manner in which I wanted it to be interpreted.
While I completely understand that every business has to be aware of GDPR and how to apply it (which we both agree on) where perhaps we see it differently is the need to be fearful that we may have missed some aspect of it and therefore, fined heavily.
Yes GDPR is a new law and yes in we should comply as best we can, but it is a new law and a complex one. This makes it harder to distill down to a level that businesses – small businesses – understand and implement.
The watchdog responsible for overseeing all this in the UK is information commissioner Elizabeth Denham. Please read this short snippet from a BBC report with a quote from her which I think will enlighten those who don’t know if they need to employ legal help (or in some cases, I have heard of people considering closing their businesses):
“We will have more powers to stop companies processing data, but we only take action where there has been serious and sustained harm to individuals,” she explained.
“What this new fining power gives us is the ability to go after larger, global and sometimes multi-national companies where the old £500,000 fine would just be pocket change.”
She added that she accepted that some companies will need time to become fully compliant.
“The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime,” she added.
“Do they have a commitment to the regime?
“We’re not going to be looking at perfection, we’re going to be looking for commitment.”
Large fines will be reserved for the most serious cases, she said, when a company refuses to comply voluntarily.
Overall effect?
Companies will be obligated to clearly inform individuals about why they are collecting their personal data, how it is going to be used and with whom it is going to be shared.
All of which means that the GDPR should make our personal data safer and less easily obtained by those we don’t want to have it.
But there will be teething pains and some organizations that don’t adapt in time will suffer.”
The bit that stands out in her comment that I wanted to point out (and is the essence of the article I wrote) is “We’re not going to be looking at perfection, we’re going to be looking for commitment.” I know for my business we tick those boxes – SSL certificates, only using their email addresses for the reason intended etc – and would have no problem ensuring our commitment to comply is rock solid.
Will I be seeking legal help? No. I may have to adapt certain things with my business as the specifics of GDPR become more known but anyone looking at my business would be able to see that I was committed to the spirit of GDPR and that if missed something, it wasn’t out of malice or misuse.
Hopefully, this will knock a bit of the fear about GDPR that is rampant at the moment. The internet is rife with it and we just have to remind ourselves to take a common sense approach to GDPR.