With the deadline just around the corner, we all need to be on top of the GDPR changes and what they mean for our businesses. We’ve put together 3 key facts about GDPR to help you prepare for the upcoming change in the law.
What rights does GDPR give an individual and how does this impact your business?
GDPR gives individual’s the following rights in relation to automated decision making and profiling:
- Right to be informed
Your business must be transparent about how you use personal data.
- Right of access
Individuals have the right to access their personal data. Meaning that you and I have the right to ask any business to show us all of the data they keep about us. If someone makes a data request to your business, you have 30 days (from the point of contact) to provide them with ANY data that you hold on them. Just bear in mind that this also means any business text messages or emails containing the individual’s data.
- Right to rectify personal data
This means that an individual has the right to contact your company at any time and request you make changes to their data.
- Right to be forgotten
Individuals have the right to be forgotten by your company provided that you no longer have a valid reason to process the data. If you receive a request to be forgotten, you have to remove any identifiable data that you hold about that person (remember these rights also apply to paper documents as well as digital files).
How much can I get fined and what are the consequences for non-compliance?
When looking at fines for non-compliance of GDPR, it’s important to remember that the fines discussed are often the maximum amount a business will incur. However, this does not mean that the fines and penalties should not be taken seriously! There are currently two fines which are:
- €20 million or 4% of annual turnover (whichever equals the greatest amount)
- €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher
There will be a process of actions taken against your company before fines are requested which include:
- Issue warnings
- Issue reprimands
- Order compliance with Data Subject requests
- Communicate the Personal Data breach directly to the Data Subject
If you want to find out more about fines and penalties click here.
What qualifies as personal data?
The golden rule when it comes to personal data is, if you’re unsure whether the data you have on an individual qualifies as personal and you can’t think of a good lawful reason to keep it, then delete it from your system and make a note in your GDPR logs. Personal data is described as any information that can identify somebody. Examples of this include, names, date of birth, contact details, physical descriptions and photographs.
Make sure you are GDPR compliant – the consequences are not worth it.