On May 25, 2018, the European Union will begin enforcing a new law, called the General Data Protection Regulation (GDPR) governing how companies collect and store user data. All businesses with customers in the EU will be affected. Our UK special correspondant, Maeri Howard, explains what craft business owners need to understand about the new regulations.
Have you purchased an item online only to find that a few days later, out of the blue, you have been sent a newsletter from the company highlighting products that you might want to purchase?
Or found a tickbox buried at the bottom of a webpage of a product you are about to buy, which automatically adds a check to the box, allowing the manufacturer to keep your email on file for future use?
These types of misuse of your personal data have gradually slipped into our browsing experience so much so that once a week, I take the time to sweep my inbox of unwanted emails from companies that I never knew had my email address.
But later on in the Spring, all of this is set to change.
On May 25th, 2018, the most influential change to data regulation in over 20 years, will come into effect and even though this is a European law, GDPR, or General Data Protection Regulation, will affect “all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location”. Personal data isn’t just emails – it can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. So if your business is doing business with people from within the EU (and that includes Britain), there is a very good chance that it will affect you.
The basic context of the change has been driven by the fact that so much of the personal data we exchange is digital and this format has the ability to be abused or, in several recent high profile cases, stolen (Facebook and Cambridge Analytica is the most recent example) that GDPR was necessary to reflect this change. After four years of debates and preparation, GDPR gives the power to control what happens to your data back to the source – the owner of the data – and also heavily fines companies that don’t act to update their processes to fall within this new framework (the fines are 4% of a company’s international turnover or €20 million, whichever is GREATEST).
So what does that mean for your business and should you be panicking?
Well, the good news is that the GDPR recognizes that smaller businesses (which I am going to make a safe assumption that most CIA members are) require different treatment to large or public enterprises. In fact, Article 30 of the regulation declares that organizations with fewer than 250 employees will not be bound by GDPR – but there are also certain guidelines that still need to be followed. The biggest difference is that companies with over 250 employees are required to employ at GDPR Officer while smaller companies can self-assess and regulate. If you have less than 250 employees, the onus is on you to decide if you are storing and using data (also known as a data assessment) in a way which is deemed GDPR acceptable and if there is an “at risk” factor, than hiring an in-house Data Protection Officer to regulate would be prudent.
In talking to companies that fall well under the 250 cut off, most of the data that they hold is actually held by third-party or cloud software companies – MailChimp, PayPal, Google, Evernote, Canva (yes, images are included as data), Grammarly, Adobe – and these companies will be putting in place (if they haven’t already) safeguarding of your data (let’s be honest, your data is their bread and butter so it is in their best interest to ensure they follow the rules). It’ll be down to the software marketplace and payment provider to keep the customer’s data safe and secure. This reliance on third part compliance has made it easier by default to fall into line with the new regulation. If you are unsure if the software you use to obtain data is GDPR compliant, it is worth checking their individual website for the most recent update.
If you’re unsure as to how to proceed, the Information Commissioners Office has a data protection self-assessment survey to help you get ready for the GDPR. It is a bit of overkill for most small businesses but if you want to see what will be required for businesses of all sizes, then have a look:
Maeri moved to the UK from New York 25 years ago and now combines her degree in marketing, her role as a small business cheerleader, and her love of making to start a home-based craft business on a beautiful canal outside of Manchester, UK, called The Make and Do Studio. Maeri has spoken at various industry events about the changing face of creative businesses and how they can co-exist in a digital world. She also works with woman-owned small businesses to help them become more digitally confident. Find her at http://www.maerihoward.com/