The new General Data Protection Regulation (GDPR), due to come into force on 25th May 2018, has been cited as the largest change to data protection legislation in the last 20 years. As explained by PwC, the data privacy and protection landscape is rapidly transforming as new regulation puts all businesses at risk of significant fines and sanctions if they fail to protect customer and employee data. Any entity of any size, public or private, anywhere in the world is dealing with data on European citizens is impacted.
What is GDPR?
GDPR is effectively an extension of the UK Data Protection Act 1998 (DPA) and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The legislation requires organisations to respect and protect personal data, no matter where it is sent, processed or stored.
Does this regulation apply to my business?
In short, YES. The GDPR applies to both B2B and B2C businesses. Whilst the GDPR is an EU regulation it applies to any organisation storing or processing data about EU citizens (regardless of location). It doesn’t even matter that the UK is leaving the EU in 2019 as it is widely expected that existing legislation will be cut and pasted into our own independent laws moving forward.
What does the term “personal data” actually cover?
This includes details such as name, address, email address, mobile number, bank account details, credit card number, driver/passport number, online name, genetic or biometric data.
GDPR legislation covers indirect identification of personal data as well as direct. Your management and marketing teams will need to consider ALL of the places on your system where personal information is stored separately but when aggregated together could form a picture of persons individual identity.
In addition to all the places where personal contact information is stored digitally, it is important to consider stored versions in hard copy format. E.g. Business cards, old fashioned Rolodex, printed copies of spreadsheets etc.
Does this apply to business contact information?
Business contact information including an individual’s work email address will typically be covered by the regulation.
What happens if I fail to comply with the legislation?
If you are audited and your company is found to be non-compliant you could be fined up to 4% of your company’s global annual turnover, or EURO 20m. Your business could also be subject to reputational damage.
What are the advantages of GDPR?
Whilst this new legislation could cause some initial hassle for businesses as they struggle to delve into their data systems and get their heads around it, it is important to remember that there are some benefits to the legislation. PwC explains that this legislation will represent a major opportunity to transform your business’ approach to privacy, to harness the value of your data and to ensure that your business fits into the financial economy.
What are the main areas to consider?
New GDPR legislations brings far stricter rulings with regards to consent and particularly applies to the marketing element of your business. As of 25th May 2018 you will need to be very clear that the client or contact has consented to be emailed by you. The legislation states that consent needs to be freely given and should be specific, informed and unambiguous. It’s important to note that consent cannot be inferred from silence, pre-ticked boxes or inactivity and you must be able to demonstrate that consent was given. This will mean that most businesses will need to review the systems that you use to record consent and have a coherent audit trail. Opt in methods will need to be more involved and you will need to ensure that there is an easy way to withdraw consent at any time should the client or prospect request this.
- The right to be forgotten
GDPR provide individuals with the right to request that their information in erased. You will need to include a way to evidence the full deletion of a contact. If you have disclosed the personal data in question to third parties, you must inform them about the erasure of the personal data.
- Information held with third party suppliers
The legislation covers all areas where personal data is stored or imported, this includes email marketing platforms, third party project management tools, booking systems and even finance packages.
You need to have a clear understanding of third party information and the level of GDPR compliance achieved by your suppliers. This is where the question of who owns the data comes into play as the owner of the data is responsible for any breach by their supplier.
What does my business need to do to get GDPR ready?
1. Perform an information audit to understand what client data you are holding, who you might share it with, where it is stored, how current it is and who is responsible for the data
2. Examine the need for and appoint a data protection officer if necessary
3. Check that all CRM, email platforms and third party software deals with data in a GDPR compliant manner
4. Review internal policies to assess adherence with GDPR regulations
5. Determine the level of consent from contacts in your database
6. Make a plan to attain consent
7. Perfect your opt-in process and consider a preference centre if needed
8. Create a process whereby any data breaches can be easily detected, reported on and investigated
To help you to take the GDPR compliance process further and disseminate where necessary we've put together this handy information sheet.
If you require more information about this piece of legislation, please refer to the Information Commission's Office.