63% of data breaches involve a third party relationship, so if you do not have suitable 3rd Party contracts if they breach your data it will have a major impact on you.
The new General Data Protection Regulation (GDPR) – which comes into force on the 25th May 2018 – may at first review seem like “just another EU rule”. However, organizations – and specifically third party risk management teams within them – would take a “tick-box” approach to compliance at their peril.
In fact, the GDPR is such a significant new rule that any organization that does business with EU nationals and holds some form of personal data on them, should dedicate the the time and resources to take a more strategic approach to risk management and compliance within 2017, rather than waiting until next year, or complying more tactically. Compliance with this rule requires a strategic approach because:
- It is an EU regulation, but with significant extraterritorial implications. For example, it effects data about EU citizens processed elsewhere around the world.
- Organizations have significant new risk responsibilities regarding the third parties they engage, who work with impacted personal data.
- The new rule has much more robust protections woven into it for privacy, data protection, and consent.
- The rule requires data protection to now be built into new products, rather than tacked on as an afterthought.
- New fines and sanctions built into the rule are much more severe than under the previous rule – and would apply in the global way in which the rule is written.
- Organizations need to evidence that they have done what is required.
Businesses are starting to panic as they try to comply with the General Data Protection Regulation (GDPR) before the May 2018 deadline. Many even believe that the GDPR won’t apply to them because they have fewer than 250 employees. Our small business guide to the GDPR should help clarify some of the key factors affecting SMEs.
Does it apply to me?
Any organisation, regardless of size, that regularly processes EU residents’ personal data must comply with the Regulation. However, SMEs may be exempt from the more rigorous steps.
Article 30, for example, states that the Article (which relates to the documentation controllers and processors must keep regarding data processing) “will not apply to small businesses except if the processing results in a risk to the rights and freedoms or data subjects, processing is not occasional, or the processing includes special categories of data as referred to in article 9, or personal data relating to criminal convictions and offences.”
This means you might not need the extensive documentation that larger organisations are required to keep. Nevertheless, you may find that your suppliers or customers will require you to have such documentation within their new GDPR-compliant contracts, so having it may give you a competitive advantage.
Data protection officers
The GDPR stipulates that certain organisations must appoint a data protection officer (DPO). There isn’t an exception for small businesses, so if you fall into the following categories, you’ll need a DPO:
- You are a public authority (except for courts acting in their judicial capacity).
- You carry out large-scale systematic monitoring of individuals (for example, online behavior tracking).
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
The good news is, you aren’t obliged to hire a full-time employee for this role. You can have someone who performs this alongside other duties (if they aren’t processing data and don’t have a conflict of interest), you can share a DPO with other organisations, or you can outsource the role entirely. It may seem a daunting and expensive prospect, but there are cost-effective options out there for SMEs.
If you are an SME or charity and you need GDPR assistance please email firstname.lastname@example.org or call us on 086 17 29383 as we can assist you in a cost effective and realistic way.