How the GDPR May Impact Your Company's Data Collection Efforts
In 2015, the European Union's (EU) authoritative and advisory bodies approved the General Data Protection Regulations (GDPR) to offer greater data privacy when obtaining products and services from companies. This particular set of regulations will seek to make it harder for data breaches to occur when companies gather, transmit and store personal information. Companies had to prepare their data privacy protection policies and ERP systems to stay in compliance with these regulations by the deadline or face penalties.
As digitalization grows around the world, companies that provide international goods and services must be careful on how they collect and store customer data in their ERP systems when processing invoices, filling customer orders, and shipping products. Hackers are becoming more devious and rampant when creating security breaches. Not only are companies dealing with the headaches from these breaches, they are facing stiff data breach fines from countries. Yet there has been some confusion on which companies are impacted by this legislation.
What Does GDPR Mean to Small Business Owners?
Simply put, the GDPR provides rules regarding how a company asks permission to gather a customer's data, the amount of personal data that should be collected, how this data is stored, and how the data will be used. It provides a list of basic principles for data protection:
Data collection must be done in a transparent and legitimate manner to uphold personal data integrity
Adequate security must be given when a company processes personal data
A company must define the intended objective on why they are collecting the data to ensure their collection efforts are legitimate and for a specific purpose
The amount of data that is collected must be minimal and relevant to its intended purpose as it should only be made available to employees who will be working to process it
Updates should be made to personal data to maintain its accuracy; inaccurate data must be deleted or rectified immediately
Data placed into storage must only be kept for as long as it is strictly necessary unless it is for specific archival purposes such as scientific research, historical research, statistical purposes or other reasons stated in Article 83 (1) of the GDPR
In addition, there has been key changes on what companies should do in case of a data breach. Data subjects (any customer whose data has been collected by the company) must be informed about the breach as they have been given specific rights under the GDPR. Such rights include the right to obtain confirmation on whether their personal data was collected or processed by the company, and the right to have the company erase the personal data and halt further processing done by third-party vendors.
Is Your Company Impacted and What Are the Penalties?
The GDPR regulation impacts any company selling goods and services to EU citizens who collect personal data. It also affects companies that collect data for monitoring purposes, processing and storage purposes. The regulation applies to companies both inside and outside the EU. As for penalties, it is a tiered fine system based on which GDPR rules that a company has failed to follow. The maximum fine is 4% (€20 Million) of annual global turnover.
The new rule has already levied potential fines against some social media platforms. Facebook, Google, WhatsApp and Instagram could face a total of $9.3 billion in total fines. These companies were hit with privacy complaints the day that the GDPR took effect.
What Should You Do to Prepare?
There are some basic steps that you can take to stay in compliance with the GDPR regulations. The most important step is that if you haven't read up regarding the GDPR regulations, and you do business with EU citizens, you need to become acquainted with the rules now.
Next, take a look at your existing data privacy policies and ERP procedures to ensure that they comply with all articles in the GDPR. Make any changes on how you gain consent to perform data collection, and familiarize your staff regarding these work changes. Any employee who is considered a "data processor" must obtain clear, concise and explicit consent from adults or obtain parental consent for people under the age of 16 to collect their personal information. If your company performs large scale processing or systematic monitoring of personal data, or your company is a public authority, you must appoint a data protection officer.
In addition, define the scope of your data collection objectives. Put a system in place that allows for more accurate data collection and data update features to ensure that personal data is accurate. You should also define how data is stored and for what length of time it should be kept.
Getting your company into compliance is essential. If you are worried that your ERP system is not in compliance with GDPR, reach out to the professionals at Exceptional Software Solutions. We'll check your existing ERP resources and provide you with solutions so you can avoid data breach fines.