This article is intended as an introduction to GDPR. For and in-depth investigation into what GDPR means from an IT, legal and marketing standpoint, read our in-depth interview with the experts. Data protection is about to become a major concern, for businesses of every size. A new set of data protection and privacy laws called the General Data Protection Regulation (GDPR) will drastically change the way you can collect, store and protect the personal information of customers, clients, and even visitors to your website.
- You may like: The hunt for customers - inbound vs outbound marketing
So what exactly do we know so far, what do you need to know, and what are the ramifications for not adhering to the new laws?
What is GDPR?
The EU General Data Protection Regulation is a Europe-wide set of data protection laws designed to harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about and control over how it’s used. The new regulations will come into force by May 2018.
Why has GDPR come about?
In 1980, a body called the Organisation for Economic Co-operation and Development published guidelines for the protection of privacy and the flow of data across national borders. Both the EU and the US endorsed the document and adopted its principles, but they were never implemented consistently.
Levels of data protection varied greatly among EU member states, even after a 1995 directive. It must be said that most of europe has been running much closer to these standards than the UK has, most notably Germany. Since then, Internet usage has become a great deal more widespread, and technological advances such as cloud storage and social media have changed the way data is processed and transferred. The rules needed updating, they needed to be uniform, and they needed to be applied more rigorously.
Who does it affect?
If you process people’s personal data, in the context of selling goods or services to citizens in other EU countries, you definitely need to comply with GDPR. Compliance with the UK’s Data Protection Act (1998) is not sufficient.
If your activities are limited to the UK, the position is less clear. The Government has indicated it will implement an equivalent to GDPR even after Brexit. Given that the UK has historically supported GDPR as an effective data protection standard, and that it will provide a baseline against which UK businesses can deal with their EU counterparts, it is highly likely that future UK data protection laws will be similar to GDPR. GDPR defines personal data as anything that can be used to directly or indirectly identify the person. Names, photos, email addresses, bank details, posts on social networking websites, medical information or IP addresses.
In terms of sales and marketing, email is one area in which the new laws are going to have a seismic effect. If you currently send email campaigns, you need to make sure your audience has opted in to receive information, and that you have a record of when and where that person opted in. (To prove it was a person and not a ‘bot’, a ‘double opt-in’ is required). This means re-opting in all the people on your mailing list before March next year.
One big question is: will they want to? If you’ve sent nothing but sales messages for the last 12 months, what is the incentive for them to sign up again? As well as impacting your existing mailing list, GDPR will affect list buying. The days where you could import a huge, bought list of twenty thousand contacts will be effectively over. The power lies with the recipient, and unless they have consented to receiving your message, you can’t send them anything.
What are the penalties for non-compliance?
Organisations can be fined up to 4% of their annual global turnover, or €20 million, depending on the transgression.What will my business have to do?
- Appoint one of your directors to be accountable. This person has to be suitably competent to handle the technicalities involved, and it’s worth considering where you want the accountability to fall - with IT, legal, marketing or elsewhere.
- Ensure you have safeguards in place: procedures to ensure data is confidential, accurate, available when necessary, backed up and encrypted.
- Ensure your suppliers are GDPR-compliant. Any service provider you use to process data has to comply with GDPR standards - and ensuring they do is on you.
- Ensure your customers, clients or website users have explicitly consented to their data being stored. This is a significant change, and most current measures are not sufficient. Your records need to prove that users have agreed to you storing their data - and failing to disagree is not enough. Crucially, users will also have a statutory right to have their data erased permanently from your records - so you’ll need the capacity to do that too.
- Ensure you’re explaining to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple and appropriate, as well as containing all the required information.
- Report breaches. Under GDPR, any breach of data protection must be reported to the Information Commissioner’s Office within 72 hours. You’ll need a robust process for detecting, reporting and responding to data breaches.
- Be prepared for more access requests. As people become more aware of their data privacy rights, they are likely to query the data you’re holding, and you’ll need to turn those requests around in good time.
In the short term, we recommend appointing an accountable director, setting aside a small budget for new data protection systems, and establishing exactly what personal data your business is storing and how. This will enable you to establish a plan for compliance well in advance of the GDPR rollout in May 2018. We will be publishing more detailed GDPR advice over the coming weeks and months.
At the bottom line, GDPR is going to affect almost every business in the UK and the EU at large. If you’re still not sure what to do next, contact us.