What is the GDPR?
The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone’s personal data safe by requiring companies to have robust processes in place for handling and storing personal information. It’s also designed to protect us as individuals from being contacted by organisations without our express permission.
Why Does it Matter?
The GDPR is bigger than its predecessor, the Data Protection Act 1998 (DPA 1998), and ushered in a wave of new rules which are significantly different in certain areas, such as:
- a wider definition of ‘personal data’ which covers more information than ever before;
- data processors (i.e. firms that process personal data on behalf of another business, such as an outsourced payroll service) will be required to comply with the GDPR, whereas they weren’t required to comply with the DPA 1998;
- businesses based outside of the EU will have to comply if they offer goods or services into the EU (one to watch post-Brexit!);
- when obtaining ‘consent’ from individuals, it must now be explicit and specific - it’s all about ‘opting in’ (and knowing exactly what we’re signing up for) rather than ‘opting out’. The old rules placed the onus on the individual to ask to be removed from a mailing list. In future, businesses must ask for consent from the very start;
- a duty to report data breaches to the Information Commissioner within very strict timeframes;
- a new ‘right to be forgotten’;
- the statutory need for certain businesses to appoint data protection officers, responsible for overseeing the new requirements for record-keeping and data impact assessments;
- an easier process for individuals to claim compensation from a non-compliant business; and
- tougher penalties for non-compliance.
Who Needs to Know?
This is a matter of governance, so it should be on the Board’s agenda. As well as operational policies for marketing teams and data handlers, firms may be required to appoint data protection officers and conduct privacy impact assessments. The content of trading contracts between businesses has become more complicated. So HR, operations, business development, and marketing should all be involved, and everyone in the business who uses data should be aware of how to comply.
While some industries will be more obviously affected than others – those in the direct marketing industry, consumer-facing businesses, firms that trade internationally, through e-commerce or that hold huge customer databases – the GDPR will touch every business to some degree.