When General Data Protection Regulation (GDPR) comes into force in 2018, businesses trading with and within the European Union (EU) will have to shape up. Regardless of how and when Britain finally exits the Union, GDPR will still apply in any instance where a business collects or monitors personal data from EU nationals. So why are the new laws being ushered in? In short, the overarching aim of GDPR is to enhance current data protection policies and, moreover, to create a universal framework for businesses and individuals. In practice, these means that all businesses, large and small, will have to adapt when dealing with consumer data from EU nationals or even persons who are in EU countries.
Design for Data Privacy
While many large corporations have the necessary IT provisions to enact any changes within a short space of time, those with fewer resources need to be proactive now. Indeed, with GDPR officially going live on May 25, 2018, it’s important to get ahead of the curve now. Looking at the regulations specifically, GDPR Article 25 covers two important areas that small businesses should consider: data privacy by design and data privacy by default. In relation to the former, the guidelines assert that privacy must be embedded into the complete lifecycle of an organisation’s products, services and applications. At its core, privacy by design isn’t focused on the steps required to protect data. Instead, it requires that systems be designed so that data doesn’t need to be protected. For example, companies could simply choose to limit the amount of data they collect (therefore reducing the amount of protection needed) or they can use pseudonymisation.
Protection Through Pseudonymisation
In practice, pseudonymisation simply means replacing raw data with pseudonyms or markers. For example, a business may choose to replace a customer’s name with a unique set of characters. Using a single marker, it’s almost impossible to work out who that pseudonym belongs do. However, as outlined by the GDPR, there needs to be some form of accountability on request. Pseudonymization covers this because you can use additional information to re-identify someone. In terms of costs, both direct and indirect, this strategy is one that any small business needs to consider. Although it’s not suitable for all types of data, the proactive approach is cheaper than a reactive one. Indeed, if data can be protected through pseudonymisation, it means a company is less dependent on security software and storage hardware. On top of this, you reduce the risk of breaching GDPR and incurring a fine. As noted in the guidelines, the maximum penalty for any company failing to adequately protect EU client data is €20 million/?17.5 million or 4% of a business’s total global revenue. Overall, when it comes to GDPR, being proactive and working towards privacy by design is the smart option for small businesses. Using strategies such as pseudonymisation as well as monitoring usage rights and minimising data collection are simple ways to stay the right side of the law when GDPR comes into effect.
Your Comments
Be the first to comment on this article
Login or Register to post a comment on this article