Strategy, Legal & Operations

GDPR: 10 important things your business needs to know

Man working on tab and laptop

The General Data Protection Regulation (GDPR) has been called the biggest ever shake-up relating to how personal data about individuals can be stored.

The GDPR goes far beyond existing data protection measures and affects business of all sizes – from sole traders up to the biggest corporations. Research undertaken by Sage shows that 91% of US businesses lack awareness surrounding GDPR, while 84% don’t understand what GDPR means for their business.

Unsurprisingly, businesses have many questions about GDPR – ranging from how it should be implemented to how it will impact their day-to-day work.

Here are the answers to some frequently asked questions. Got any other questions? Let us know in the comments below for a future update of this piece.

1 . My business is not based in the EU. Am I affected?

The GDPR affects any business worldwide that processes the data of individuals in the EU. Our research shows that 13% of US businesses currently have offices, employees, customers, and/or suppliers based in the EU. In fact, if you are offering goods or services to individuals in the EU or monitoring their behavior, you will probably need to employ a representative within the EU to handle GDPR inquiries.

Additionally, you must contact the appropriate authorized government organization in writing who this is. Many third-parties already specialize in handling this type of issue. At the very least, you might make inquiries to see if this is a requirement for your business.

Before enforcement of the GDPR, it’s difficult to predict the consequences for businesses outside the EU that contravene the GDPR but they could include being prohibited from transacting business within the EU until compliance is demonstrated, which could take some time. This could affect not just sales but also suppliers, so could have a devastating effect.

2 . Does my business need to become “GDPR certified”?

No. The wording of the GDPR doesn’t specify or mandate a certification system but it does encourage voluntary certification via industry bodies or organizations compliant with ISO/IEC 17065/2012, an internationally-recognized standard.

While becoming GDPR-certified is encouraged to provide guarantees relating to technical and organization security measures, among other things, doing so is important for third-parties that process data on behalf of others.

3 . What’s the deadline for the GDPR?

The GDPR went into effect on May 25, 2018. There’s no grace period or overlap for your business when this happens, so you must ensure your business is ready by then.

4 . Will my business have to undergo GDPR audits or inspections?

There’s no requirement within the GDPR for regular governmental audits or inspections but supervisory authorities do have the right to carry out audits as part of their investigatory powers. However, this isn’t to say self-imposed audits or inspections aren’t a very good idea or even a de facto requirement for GDPR compliance.

For third-parties providing data processing services to others, the situation is a little more complicated. They will have to make available to the company employing them all information necessary to demonstrate compliance with their obligations under the GDPR. They must also allow for and contribute to audits, including inspections, that the business is employing mandates.

However, the GDPR does introduce significant and onerous new requirements for record keeping for all businesses. It’s not enough to merely comply with the GDPR. Any business must be able to prove it’s doing so.

Note that there’s a possibility governments might implement formal, regular audit processes when they implement the GDPR within national laws.

5 . I’m a solopreneur, does the GDPR affect me?

Yes. The GDPR affects anybody or anything engaged in an economic activity and that processes personal data – and even organizations such as partnerships, charities or clubs/societies. It doesn’t matter if this entity is legally recognized or not.

6 . Are products from Sage ready for the GDPR?

Sage is working to ensure all its active products are GDPR-ready. Sage recommends users ensure they are running the latest versions of software.

Specifically, to assist organizations to meet their GDPR obligations, Sage may continue to provide additional enhancements and so customers are advised to periodically review the latest available version and install updates as appropriate. Customers running cloud products, such as those within the Sage Business Cloud, will benefit from always running the latest versions of software.

7 . In a nutshell, how does the GDPR differ from existing data protection legislation?

To be blunt the differences are so extensive that it’s impossible to, sum up in a quick answer. General Data Protection Regulation: The Sage Quick Start Guide for Businesses provides a concise and readable overview.

8 . What are the consequences of not following the GDPR protocol?

Your business might be fined up to 4% of annual global turnover. Notably, it’s possible to breach the GDPR outside of having an actual data loss.

9 . How much will the GDPR cost my business?

Expenses for an average business are likely to include some if not all of the following:

  • Audits of all processes in all departments, ideally by a qualified individual or business
  • Modifications such as staff retraining and information technology adaptations
  • Potentially appointing and training a Data Protection Officer (DPO; see Q9 below)
  • Setting-up and maintaining continual documentation processes demonstrating compliance with the GDPR
  • Voluntary certification costs, especially if your business processes data on behalf of other companies (see Q1 and Q3 above, remembering that you should only use certification bodies are compliant with EN-ISO/IEC 17065/2012 and that have been authorized by the relevant supervisory authorities).

10 . Will I need to appoint a Data Protection Officer (DPO)?

Some types of businesses will have to do so. Examples include if your business is a public authority, or your core activities involve the monitoring of individuals on a large scale (including profiling), or you handle data in special categories such as medical data or data relating to criminal convictions and offenses.

Your Data Protection Officer could be an existing employee or you could contract somebody from outside of your business, but you’ll have to inform the government contact who they are and they will also need to be properly trained.