The General Data Protection Regulation is set to cause businesses a huge change in the way they handle data over the next year, that’s if you have heard of it or think it affects your business of course. The GDPR is an important piece of regulation from the European Commission that will supersede the Data Protection Act (DPA) from May 2018 and enforce a lot of changes.
From 8th May 2018, the way companies handle their data will be very different from the way that it is handled currently, or they risk a breach and possible fine. The new regulation will introduce a number of changes including expanded territorial reach, meaning that the regulation will apply to the processing of personal data if a company is trading outside of the EU/UK and increased rights for data subjects will feature heavily and a rebalance of the risk from data controllers and data processors.
Worryingly about a quarter of UK businesses have halted their projects on the GDPR changeover as they believe that the triggering of Article 50 has resulted in the law being redundant, but it is quite the opposite. UK businesses need to start their journey into the new way that data will be handled, with UK Information commissioner, Christopher Graham saying that the “The GDPR is a serious legislation that needs to be taken seriously by businesses” so what exactly is the GDPR?
- The GDPR is going to happen and will come into effect in Q1 2018;
- You can no longer assume you have consent to send direct marketing. You’re going to need freely given, explicit consent to collect, store and use personal information;
- You’re going to need opt-in consent to use personal information in any other way than what it was originally intended;
- Individuals now have the right to be forgotten, affecting the way you process and store data and how long you keep hold of old data;
- Companies can no longer confuse their customers. Clear wording throughout your customer journey is an absolute must;
- It will be easier than ever for consumers to make a complaint, making it straightforward for them to take legal action;
- Stronger than ever enforcement will be introduced with heavy ‘on the spot’ style fines.
The regulation will apply to the processing of personal data by a data processor. Data processing may sound quite simple but it encompasses everything that you do surrounding your customer’s data; you process data by having it, giving it or you receiving it.
It aims to simplify the regulatory environment by having clear written rules for the givers of data and also enable a clear line in the business as a go-to point regarding any data breaches or risks, as if not complied with the companies could face a fine of up to 4% of their turnover of €20 million, whichever is the greater.
Ultimately the sooner a business starts to plan for this regulation the better the chance of minimising risk to the company. Things for you to think about now and maybe carrying out an audit of how your company captures and stores data:
Collection, Storage and Use
- Where do you collect your customer data?
- How much of this data do you use?
- Do your customer know you have this data on them stored
- When do you delete your data?
Action to Take Now:
- Collect explicit consent for new customers
- Re-confirm consent and preferences for existing customer
- How do your customers subscribe or Opt out?
- What do you have consent for?
- Is subscription or opt in a choice?
- Do you use and third party data?
- If you were asked today, what consent can you prove?
Plan for the future:
- Data Deletion
- The Right to be forgotten
- Anonymous purchases
It’s difficult to be specific about exactly what you need to do, as all companies collect data very differently, but its best to start your processes early so you are not rushing at the beginning of next year. If you are still unsure or would like more information then please contact us at firstname.lastname@example.org. We will be keeping regular updates on this important topic.