It’s not often that a piece of regulation affects everyone in business, but this one does.
If your normal work activities involve storing or using information relating to named individuals – customers (past, present and prospective), suppliers, employees, people you know in your network – anyone – then you need to take note of the GDPR.
What is it?
The new General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It provides a legal framework for keeping everyone’s personal data safe by requiring companies to have robust processes in place for handling and storing personal information. It’s also designed to protect us as individuals from being contacted by organisations without our express permission.
Why does it matter?
The new GDPR is bigger than its predecessor, the Data Protection Act 1998 (DPA). If you’re already operating within the current DPA then that’s a good start, but the new rules are significantly different in certain areas, such as:
- a wider definition of ‘personal data’ which covers more information than ever before
- data processors (i.e. firms that process personal data on behalf of another business, such as an outsourced payroll service) will be required to comply with the GDPR, whereas they aren’t required to comply with the DPA
- businesses based outside of the EU will have to comply if they offer goods or services into the EU, so one to watch post-Brexit
- when obtaining ‘consent’ from individuals, it must now be explicit and specific - it’s all about ‘opting in’ (and knowing exactly what we’re signing up for) rather than ‘opting out’. The old rules placed the onus on the individual to ask to be removed from a mailing list. In future, businesses must ask for consent from the very start
- a duty to report data breaches to the Information Commissioner within very strict timeframes
- a new ‘right to be forgotten’
- the statutory need for certain businesses to appoint data protection officers, responsible for overseeing the new requirements for record-keeping and data impact assessments
- an easier process for individuals to claim compensation from a non-compliant business
- tougher penalties for non-compliance of €20 million or more
Who needs to know?
This is a matter of governance, so it should be on the Board’s agenda. As well as operational policies for marketing teams and data handlers, firms may be required to appoint data protection officers and conduct privacy impact assessments. The content of trading contracts between businesses are likely to become more complicated. So HR, operations, business development, and marketing should all be involved, and everyone in the business who uses data should be aware of how to comply.
While some industries will be more obviously affected than others – those in the direct marketing industry, consumer-facing businesses, firms that trade internationally, through e-commerce or that hold huge customer databases – the GDPR will touch every business to some degree.
Five things to check now
This isn’t just a minor change, it’s much more expansive than that. So, with that in mind, here are five things that it’s a good idea to address now, before any changes need to be implemented.
- Information held: an information audit to check what personal data is currently held, where it came from and what it is used for will help to inform your consent process for existing contacts (previous ‘soft’ opt ins may not comply)
- Privacy notices: by checking your current privacy notices (the text that describes what you use data for), you can put a plan in place for making necessary changes ahead of the introduction of the GDPR
- Rights: ensuring that your procedures cover all the rights of an individual, including how data would be provided in response to a request or deleted, will smooth the transition
- Gathering consent: how you gather and record consent may be compliant under the DPA, but not GDPR. Checking this is fit-for-purpose now will save time in the long run
- Information for children: storing information on children requires parental or guardian consent, so verification of individuals’ ages will be required to facilitate the proper consent procedure
Put simply: don’t panic.
Yes, the demands and requirements are high, but there is time to prepare. Ensuring all policies relating to data protection are at least current is a good starting point, followed by an audit of your data, which we can help you with. Cleansing your datasets now while not under immediate pressure will be much easier than doing so in the days running up to the introduction of GDPR into law. And you should be looking to ensure that any new business contracts you enter into between now and May 2018 contain appropriate compliant data clauses, and any existing contracts that will remain in force beyond that date are similarly amended.
We will be sharing a series of detailed briefings that we will be releasing throughout the next few months to cover the main areas you will need to be aware of within the GDPR, keep an eye out on the other pages within this section for this detailed information. Or alternatively, Sign up to our newsletter and you can be assured that the latest briefings will be delivered to your inbox, and of course, should you need it, we are on hand to offer advice and support through the transition from the DPA to the GDPR.