What is GDPR and why is it important for my business?
First things first, what is GDPR?
GDPR stands for General Data Protection Regulation. It’s a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
Did you say Europe? How does it affect me as an Australian business?
GDPR applies to Australian businesses too!
“While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens” This includes U.S. and Australian companies.
Europe’s data privacy and security law include hundreds of pages’ worth of requirements for organizations around the world – YES – “around the world”, not just for businesses in Europe.
GDPR fines are designed to make non-compliance a costly mistake for a business of any size – both large and small. There are two tiers – ‘less severe’ and ‘more severe’ (who thought of those official naming conventions?!)
It's the data controller's responsibility
Using SaaS or cloud-based platforms does not absolve your business of GDPR violations. Your business should take additional measures to ensure that all requirements and obligations are met.
All cloud-based providers need to be carefully assessed to ensure they meet the necessary compliance regimes such as GDPR, SOC2, NIST and ISO. We recommend carrying out a ‘third-party security risk assessment’ before investing in any third-party cloud technology. Yep! We can help with this!
The GDPR Principles
There’s a lot of detail within the GDPR principles. But we’ve made a simplified checklist to help you understand what’s involved.
Lawful basis and transparency
- Make a list of all data your business stores.
- Keep an accurate and up-to-date list of your processes.
- Keep a list of who has access to what information (see our Data Access Governance page).
There are rules around what needs to be done based on your organisation's number of employees, but even the basics can greatly assist small business.
- You need a legal justification for processing personal data.
In Australia, we have special categories for various industries. These include, but are not limited to, healthcare, children and ‘national security’ considerations.
Data protection by design
Data protection needs to be ‘baked in’ to everything your business does – from designing a form to choosing a new CRM.
- Encrypt and anonymise the personal data you store wherever and whenever possible!
- Create an internal information security policy and build awareness of this policy within your team.
- Regularly conduct a data protection impact assessment (depending on your business size, this doesn’t have to be complicated.)
- Have a process to notify authorities if you have a data breach – this is called an ‘Incident Response Plan’.
Accountability and Governance
- You must designate someone (yes an actual real person!) responsible for privacy compliance.
- Appoint a Data Privacy Officer – This isn’t always necessary, but it is still a good idea to have an expert provide advice (even if you’re a small business.)
- Understand and sign Data Processing Agreements with your third-party providers (like your cloud and SaaS providers. Most third parties already have these agreements which contain your and their obligations.)
- Make it easy for your customers to request and receive all of the information you hold on them.
- Make it easy for customers to change or update their information (preferably via a self-service portal.)
- Make it easy for customers to request full deletion of their data. Customers can request their details in a format that is easily readable – and you need to be able to produce this.
- Customers can object to you processing their data at any time. In the event that they make this request, it is essential that your business complies and stops processing their data.
- Automated processes where decisions about people are made (human resources or performance management for example). You need a process where human intervention can weigh in on decisions if you are challenged by the customer. 'Customer' in this instance can also mean an employee or even simply a member of the public who fills out your website form to subscribe to a piece of content.
Here’s how we can help!
We have the methodology and templates that suit small business and medium enterprise. We can assist with any of the checklist points above and prepare you for compliance.
Transform LogiQ can assist with:
- Information audits and process audits.
- Data Access Governance reviews.
- Policy development.
- Privacy compliance advisory.
- Information security including:
- Identity and access management reviews, third-party risk assessments.
- Information governance.
- Information management and information lifecycle.
- Assist you in your compliance journey.
Before you go…
Please note that this is not legal advice! If you require further clarification on the EU GDPR or Australian Privacy legislation we encourage you to seek legal advice via an expert privacy lawyer.