Does the GDPR apply to my business?
The deadline for the EU’s General Data Protection Regulation (GDPR) is fast approaching. On May 25th 2018, it will become enforceable and businesses across the EU and beyond will be required to comply.
Despite the publicity surrounding the GDPR, public awareness and understanding of its implications seems to be patchy. In a 2016 Experian survey, only 7% of business owners claimed to be ‘very prepared’ and 25% were either ‘not very’ or ‘not at all’.1
Here at Experian we’re keen to help clear up some of the confusion and that starts with establishing exactly who the GDPR applies to – and who it doesn’t…
In a nutshell, the new rules will apply to all organisations (both in the EU and, in certain circumstances, outside) who collect, store and process the personal data of EU citizens.
What is personal data?
A key part of preparing for the GDPR is understanding if you process personal data as part of your business and if so, what personal data you hold. In order to do that, it’s useful to understand exactly what personal data is…
GDPR defines personal data as “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This definition is very wide and therefore many different things can constitute personal data. Personal data might include obvious identifiers such as name, address, email address, date of birth and credit card details. It might also include less obvious identifiers such as online identifiers or reference numbers, all to the extent that they identify a natural person. More information on personal data can be found on the ICO website.
It’s also worth noting that personal data doesn’t just relate to consumers but can also be attributed to sole traders, partnerships, employees, prospects or members of the public.
What about the size of my business – does that make a difference?
You’ll have to comply, no matter how small your business is. If you’re processing personal data, then GDPR applies to you.
However, if your business has fewer than 250 employees, then some of the requirements to maintain records of processing won’t be applicable. You can read more about this on the ICO website.
What does this mean for my business?
There’s at least a whole blog post’s worth of content in the answer to that question, but essentially, the GDPR holds consumer interests at its core. A key objective of GDPR is to require organisations to do the same by (amongst other things) being transparent with consumers about how their personal data will be processed.
You will be expected to ensure the proper handling of personal data in all of your business activities. The GDPR requires organisations to be accountable and to be able to demonstrate compliance. To do this you will need to have robust processes, policies and governance in place around how you collect, store and process personal data – and to be transparent about these with your customers .
Although the GDPR is full of legalities, rules and regulations, it’s important to see it as an opportunity. The GDPR is a force for good, with an end goal of creating transparent, fair and responsible businesses when it comes to handling people’s data. If you can adopt the GDPR as best practice for your business, it will help you build trust and stronger relationships with your customers.
Experian B2B Prospector is here to support you when it comes to keeping your data cleansed and up-to-date. If you’d like more information on the services available, such as data enhancement, email validation and data quality, then please visit our website or call us on 0870 012 1111 and one of our team will be happy to help.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice and this blog should not be considered as such.
Source: 1. Experian / Data IQ , General Data Protection Regulation – Identifying its impact on marketers and the consumer’s moment of truth, 2016