A New Year’s Resolution for SMEs: If you haven’t put the GDPR into practice yet, you should start now!
By Lynn Goldstein, Founder of GDPRsimple
You keep saying to yourself: “GDPR, what is it? I know that we needs to do something about the GDPR.” Or you are saying: “It’s our 2020 goal to do more to implement GDPR?” Or are you responding to biz dev and RFP opportunities and know that your response isn’t up to snuff? Not a problem, start now!
GDPR expanded the rights provided to individuals in the EU Directive and created several entirely new rights that regulators have started enforcing against SMEs.
Under the GDPR, individuals have the right to:
- Be informed (e.g. told what personal data about them are collected and how their personal data are used)
- Access their personal data
- Rectify their personal data if it is inaccurate or incomplete
- Erase personal data when certain grounds apply (to be explained in a subsequent blog)
- Restrict processing of personal data when certain grounds apply (to be explained in a subsequent blog)
- Port data (specifically when data is processed based on consent or contract and is carried out by automated means)
- Object to processing of personal data concerning them under certain circumstances (to be explained in a subsequent blog)
- Refuse to be subject to automated decision-making, including profiling, unless an exception applies
Each of these rights will be explained in more detail in subsequent blogs, but the important points are:
- these rights create new responsibilities for you as businesses, especially if you process (e.g. use) personal data,
- not being able to comply with these rights can cause individuals to complain to their regulators, and
- you must reply to requests to exercise these rights requests fast and accurately.
Most SMEs think they are too small for anyone – customers, employees, regulators – to notice if they don’t comply. That is not the situation under the GDPR. Each regulator must “handle” every complaint lodged with it by an individual. So, if an SME does not respond to an individual right exercised by an individual, individuals can file complaints with the regulator of the country where the individual lives, where the individual works, or where the SME’s failure to respond took place. The filing of a complaint could lead the regulator to look into your business and assess fines. How much could those fines be? Up to 4% of your total worldwide annual turnover (gross revenue).
Sure, you may be saying to yourself that since it takes time for complaints filed with regulators to be investigated, you don’t need to worry about it just yet. Not the case, we hate to say! The results of these investigations are just starting to be seen, and they are coming fast and furious. The Irish regulator addressed and resolved over 6,000 complaints in 2019! Individuals are exercising their rights. The German Bavarian state regulator announced it is auditing the implementation of the GDPR in SMEs.
Other regulators already have investigated and fined SMEs! The following are just a few examples:
- In November, the French regulator imposed a €500,000 fine on a company of less than 100 employees that was the subject of a complaint from an individual for five violations of the GDPR: failure to process data which are adequate, relevant and limited to what is necessary for the purposes for which they are processed; failure to inform the individuals; failure to respect the right to object; failure to cooperate with the supervisory authority; and failure to provide the appropriate safeguards regarding the transfer of personal data outside the EU.
- In October, the Polish regulator imposed a fine of approximately €47,000 on a marketing industry company for failure to implement appropriate technical and organizational measures to enable easy and effective withdrawal of consent to the processing of personal data and to exercise the right to request the immediate deletion of personal data.
- In December, the Belgian regulator imposed a fine of €15,000 on an SME operating a legal information website with approximately 35,000 unique visitors a month because insufficient information was provided about cookies deployed on the website, because the appropriate type of consent was not obtained for certain types of cookies and because there was no easy way to withdraw consent.
Many SMEs want to comply with the GDPR but don’t know how. This blog is the first in a series of blogs that will explain, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.