When GDPR entered into force in May 2018, which stands for General Data Protection Regulation, the rules regarding the handling of personal data were tightened properly and negligence in handling personal data can be costly. Before GDPR was implemented in the EU, there was really no form of security for people’s personal data and their privacy on the internet.
A common question that people ask themselves is “which companies are covered by GDPR?”
The answer to that question is that all companies operating in the EU, regardless of size, are covered by GDPR. This means that GDPR is just as important to follow regardless of whether you have a start-up company or run a larger business. In this blogpost, we will guide you on how companies, large and small, should relate to GDPR to safe the privacy of their customers.
What is GDPR in brief?
We begin by briefly reviewing what GDPR is. Some of the key points in the new regulation are that you as an individual have the right to transparency, to change and even delete personal information about yourself that companies or organizations have collected about you. The GDPR Act considers that you as a company should not collect more personal data than is necessary. The personal data should also be intended for specific purposes and the data should not be stored longer than necessary.
People who, for example, register on your website have the right to know how you as a company handle their personal data. It must be clear why you are collecting this information and also how you will use it. Those who sign up must also know what rights they have, for example how they can correct incorrect information and how to get personal information about themselves deleted. This applies not only to B2C but also B2B, within its own organization and other types of agreements.
What does GDPR mean for companies?
As mentioned above, GDPR applies to all companies operating within the EU, regardless of size, and exists to protect the privacy of private individuals by ensuring the correct handling of personal data. When a person gives their consent to you as a company to handle their personal data via, for example, a form or a newsletter signup, then you as a company have an obligation to explicitly ensure that the person can choose to give their consent and know how their personal data will be used.
The agreements that GDPR as a company must have according to rules are:
- Personal data assistant agreement
The law also requires the following internal routines:
- Continuous removal of unnecessary personal data
- Take into account the rights of data subjects
- Commitment in the event of personal data incidents
- Written document for personal data processing
GDPR rules in Sweden
Although GDPR and the rules that have been added can be perceived as complex and a lot to keep track of, it is in fact to your advantage if you as a company have the vision to expand and reach markets outside Sweden’s borders. Before 2018, each country within the EU had its own data protection laws, which could result in that even if you followed your country’s laws, you risked breaking the laws of the other country in which you operate.
The purpose of the Data Protection Regulation is to have the same rules for the processing of personal data throughout the European Union. This makes it easier for companies to establish themselves and operate in several EU countries. A Swedish company that complies with the Data Protection Ordinance has no reason to worry that the rules for handling information about, for example, its customers take place in a different way in another EU country.
It’s not uncommon for Swedish companies to use digital services that handle data outside the EU, such as American ones. It can be anything from analysis tools, communication platforms, or logistics tools. GDPR states that transfers of personal data to a country outside Europe may only take place if the country in question can guarantee a high level of protection of personal data. All US suppliers can no longer handle personal data according to GDPR, which means that companies that send newsletters via a US supplier risk violating the GDPR.
What happens if a company violates GDPR?
What will be the consequences of violating GDPR? What happens if you break GDPR law, regardless of whether it is a GDPR agreement between companies to companies, customers, or organizations, is that the privacy protection authority decides if the company receives a fine and in that case has to pay a penalty fee. The fee varies depending on how large the violation is and how much damage has been caused. One also takes into account how sensitive the information is in that case.
The maximum amount of the penalty fee that a company may have to pay extends up to EUR 20 million or 4% of the company’s global annual turnover. However, these fees occur more often in the case of major violations. For minor violations, you can pay up to 10 million euros or 2% of the company’s global annual turnover.
How companies should handle personal data
What really goes under the term “personal data”? There is some basic and obvious personal information, such as first and last name and social security number. But there are significantly more ways to identify a person, especially on the internet.
Examples of other personal data are:
- Location information
- A picture
- Bank details
- Updates on social media
- Where you live
- Relationships and the number of children
- Phone number
If you want to dive even a little deeper into GDPR rules and how companies should handle personal data, you can read more about GDPR here!
GDPR template for small businesses
To ensure that you as a company comply with GDPR, it may be a good idea to start by checking that you:
- Do all the basic principles of the Data Protection Regulation follow?
- Do you have a correct legal basis for your personal data processing?
- Document how you think and how you do?
GDPR in text and agreements for small businesses
Starting to get acquainted with the regulations and understanding how to actively work with GDPR and take into account people’s integrity can be perceived as complicated if you are a start-up company. We obviously want to help you along the way. Therefore, we have broken it down into four key points that you can start from and use as a GDPR template for small businesses. This will help you get a clearer picture of what GDPR rules apply, how you can build a good structure and set good routines to reduce the risk of missing important points that can lead to costly penalties.
- Review and get an overview. What personal data is handled in your business? Map these and keep in mind that this does not only apply to your customer register but also information about your employees and data that is stored in different types of programs that you use.
- Divide into data categories. What types of different personal data do you handle? Categorize these so that you get an overall picture and can set a clear structure.
- Documentation. After you as an entrepreneur have categorized what tasks you handle, it is easy to then start documenting these. There should be documentation of why you have the personal data, how it is processed and for what purposes. Thereafter, a data protection policy and a personal data assistant agreement should be written.
- Ask for help. There is a lot to keep an eye on when it comes to GDPR rules for companies. If you have the opportunity, ask for help. It is better to ensure that it is right from the start. There is also very good GDPR text online to take part in to ensure that you follow the GDPR rules that apply to companies and organizations.