The General Data Protection Regulation (GDPR) is now in effect! If you’ve heard of it but don’t actually know what the GDPR is, it’s a regulation within the European Union (EU) laws on privacy and data protection for the EU. Basically, it provides a new set of guidelines so that customer data is protected, and it came into effect as of the 25th of May, 2018.
Think it doesn’t impact your business on the other side of the globe? Make sure you read the next paragraph.
One of the most important things to note is that the GDPR doesn’t just impact all businesses based in the EU, but also anyone who is processing the data of EU citizens. So if any of your customers are European, even if they are on holiday and utilise the services of your business, or if your business has any relation to European data including recording, storing, collecting, erasing or using personal data, then you need to be thinking about the GDPR because it will affect you.
What are the main compliance requirements?
There are many compliance requirements that all have different levels of impact on businesses. Five of the main requirements that will impact most individuals are outlined below:
Firstly, one of the main requirement is the legal, fair and transparent processing of data. This means that all data processed is done legitimately at the responsibility of the company and that it is the company’s responsibility to inform customers about the processing of their data.
Secondly, another requirement is the control of purpose, data, and storage. This requirement focuses on the amount of data that is being processed. It is an expectation that the amount of processing is to be reduced to only the data that is really necessary. This data is to be removed once it is no longer needed.
Thirdly is the consent to use data, meaning clear and explicit consent must be given from the customer and it must be documented. Customers are allowed to revoke their consent at any time.
Fourth is the data subject rights. This requirement gives your customer the right to ask what information you collect, how it will be used and they can request a correction or even deletion, which you must comply with.
Finally, there is another compliance requirement for data breaches. Companies must maintain a personal data breach register and based on the severity, regulator, and subject of the data, the customer should be informed within 72 hours.
Your role in the GDPR
To comply with the new process it’s really important to understand what role you play. There are two roles: the controllers and the processors.
Controllers are effectively the customer. If you use nabooki software and trade within the EU or with citizens of the EU, then you are not only a controller but also a processor as you have your own customers.
A processor is anyone who processes your data. If you use nabooki software then we (nabooki) are a processor for you because we process the data that is transmitted via our software. Other programs integrated with nabooki such as QuickBooks and Campaign Monitor are also processors for you. It’s really important to note that you are the processor for your customers and you are responsible for the management of their data. Under the new regulations, you are expected to be able to remove and export your customer’s data, which nabooki allows you to do and we provide helpful articles in our support centre to do so.
Do I inform my existing clients?
This checklist will help you ensure you’re compliant with the new regulations:
- Make sure your customer is “opting-in” instead of “opting-out”
- Understanding how to export your customer data and permanently delete customer data (at your customer’s request)
- Review everyday business processes to make sure you are not unintentionally sharing data
What have we done to become compliant?
This post is not intended and does not constitute legal advice. If you have queries it is best to consult your lawyer about what your business needs to do to become GDPR compliant.