So what is GDPR?
The General Data Protection Regulation (GDPR) is a regulation from the EU to unify and strengthen data protection for all European citizens. It is unaffected by Brexit and will be enforced in the UK from 25th May 2018 by the Information Commissioner’s Ofice (ICO). The Queen’s Speech in December 2017 proposed a new Data Protection Bill which will replace the Data Protection Act 1998. This will encompass GDPR, and when the UK leaves the EU, the new Data Protection Act is likely to replace the GDPR.
The Government says the Bill will ensure that the UK’s “data protection framework is suitable for our new digital age and cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data”.
What is it for?
It is designed to give control back to the individual for how their personal data is used. This includes the ability to opt in and out of marketing material easily (consent) and being removed from databases (the right to be forgotten).
GDPR will bring a culture change in how businesses view their ‘data’, recognising that this is a list of individuals who deserve to know how and why their personal information is being used and stored. It will reduce the amount of data storage and processing that companies perform and ensure they act with transparency and accountability. The protection of customer data is paramount.
How does it affect me?
GDPR affects organisations globally who offer goods and services to European citizens, irrespective of whether money has been transacted. Organisation will have a duty to report certain types of data breach to the relevant authority. There are significant fines and legal implications for non-compliance.
Today, ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. GDPR brings data breach fines for lesser incidents up to €10m or 2% of global turnover (greater). Serious violation fines up to €20m or 4% global turnover (greater).
Impact on Marketing
- Think about your brand reputation and TRUST
- You must prove consent before you can send any marketing
- You must create a clear journey for the customer to opt-in AND out of marketing messages
- Changes to how you use (process) customer data for marketing
- Need to tell customers how and why their data is being used
Impact on IT
- Think about where you store data on your computer: Email accounts, software, cloud, Mailchimp?
- What devices do you use – mobile, laptop, home pc, servers?
- Think about why you have this data, where it came from and why you need it
- Ensure security processes for yourself and any staff members or users of your devices
- How about password protection and privacy policies?
- How long have you stored this data and why?
Impact on HR
- All staff and users will need to be trained on your GDPR processes
- Use of suppliers and third parties in relation to your data – they will need to be GDPR complaint too.
- The collection, processing and storage of employee data on joining and leaving your business
As you can see, GDPR impacts on your whole business and changes will need to be made as soon as possible to ensure compliance.
This blog is a commentary on the GDPR, as we interpret it, as of the date posted. We’ve spent a lot of time learning about the GDPR and focusing on how it can be practically implemented. However, not all aspects and interpretation of the GDPR are as black and white as they perhaps should be, and no doubt will be in the future. Therefore, this blog is provided for informational purposes only and should not be relied upon as legal advice.
If you are concerned about implementing GDPR in your business, the good news is, we are here to help! We offer GDPR Consultancy, assessing your processes and systems in preparation for GDPR compliance and providing on-site staff training.