Small Business GDPR Awareness Primer
In the last few weeks chatter about the GDPR (General Data Protection Regulation) has increased exponentially. The European Union’s GDPR legislation has brought levels of panic for small businesses that hasn’t been seen since Y2K!
Here is an awareness primer for those still trying to get their head around it.
What is data protection?
- Data protection has to do with protecting data you hold from unauthorized access. Examples of this include encryption, firewalls, backups, and secured servers. A data breach would be the result of insufficient data protection.
What is data privacy?
- Data privacy has more to do with managing who has authorized access to the information you hold. If an individual has given you consent to store their billing information and you give this to another company to use without the individual’s permission, this would be a data privacy violation. Using that same information within your own company but for another non-consenting (and therefore unauthorized) process is also a violation.
Both data protection and data privacy work together to ensure that the personal information of the individuals we work with is appropriately handled.
What is personal information? Personal information is defined as any ”information about an identifiable individual.” This includes information such as:
- email address
- phone number
- banking information, credit/debit card data, purchases, loan reports
- Social Insurance Number (SIN), or other identification numbers
- race, ethnic origin, religion, education or income level
- age, height, blood type, medical records
Why is Data Privacy so Important Anyway?
Customer Service and Experience
- Keeping the private information of customers protected, and upholding their personal rights, is a good way to keep customers confident and comfortable with the company. By demonstrating that we can protect their data, and working with them on any privacy concerns or requests, we show that data privacy is important to us, and that we can be trusted with personal information.
- As customers are becoming more concerned about their data privacy (look at the recent situation with Facebook and research company Cambridge Analytics), a company that can be sensitive to privacy concerns, and deliver appropriate protective measures for personal data will be the safer, and more comfortable choice for customers.
- We also have a legal requirement to protect the personal data of our customers and employees.
- Breaking the law can lead to a variety of negative consequences, including complaints, investigations, audits, and fines.
- The major legislation that we are dealing with is the EU’s General Data Protection Regulation, or GDPR.
What is the GDPR?
- The GDPR is a regulation adopted by the EU governing personal data use and protection. Even though the GDPR is a regulation for the EU, its scope includes any business that processes the personal data of citizens of the EU, even if they do not physically operate in the EU.
- The GDPR outlines six principles to govern the protection of data. According to the GDPR, personal data must be:
- processed lawfully, fairly, and transparently
- adequate, relevant, and limited to what is necessary for processing
- accurate and kept up-to-date
- kept in a form such that the data subject can be identified only as long as is necessary for processing
- processed in a manner that ensures its security
and can only:
- be collected for specified, explicit, and legitimate purposes
All citizens of the European Union are granted certain rights under the GDPR in relation to their personal information:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- An organization has the responsibility to ensure that these rights are upheld.
Luke Henderson is privacy officer at Velsoft Training Materials.