It’s not often that a piece of regulation affects everyone in business, but this one does.
If your normal work activities involve storing or using information relating to named individuals – customers (past, present and prospective), suppliers, employees, people you know in your network – anyone – then you need to take note of the GDPR.
What is it?
The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone’s personal data safe by requiring companies to have robust processes in place for handling and storing personal information. It’s also designed to protect us as individuals from being contacted by organisations without our express permission.
Why does it matter?
The GDPR is bigger than its predecessor, the Data Protection Act 1998 (DPA 1998), and ushered in a wave of new rules which are significantly different in certain areas, such as:
- a wider definition of ‘personal data’ which covers more information than ever before;
- data processors (i.e. firms that process personal data on behalf of another business, such as an outsourced payroll service) will be required to comply with the GDPR, whereas they weren’t required to comply with the DPA 1998;
- businesses based outside of the EU will have to comply if they offer goods or services into the EU (one to watch post-Brexit!);
- when obtaining ‘consent’ from individuals, it must now be explicit and specific - it’s all about ‘opting in’ (and knowing exactly what we’re signing up for) rather than ‘opting out’. The old rules placed the onus on the individual to ask to be removed from a mailing list. In future, businesses must ask for consent from the very start;
- a duty to report data breaches to the Information Commissioner within very strict timeframes;
- a new ‘right to be forgotten’;
- the statutory need for certain businesses to appoint data protection officers, responsible for overseeing the new requirements for record-keeping and data impact assessments;
- an easier process for individuals to claim compensation from a non-compliant business; and
- tougher penalties for non-compliance.
Who needs to know?
This is a matter of governance, so it should be on the Board’s agenda. As well as operational policies for marketing teams and data handlers, firms may be required to appoint data protection officers and conduct privacy impact assessments. The content of trading contracts between businesses has become more complicated. So HR, operations, business development, and marketing should all be involved, and everyone in the business who uses data should be aware of how to comply.
While some industries will be more obviously affected than others – those in the direct marketing industry, consumer-facing businesses, firms that trade internationally, through e-commerce or that hold huge customer databases – the GDPR will touch every business to some degree.
Five things to check now:
This hasn’t been just a minor change, it’s much more expansive than that. So, with that in mind, here are five things that you need to address, if you haven’t already.
- Information held: do you know what personal data you currently hold, where it came from and what it is used for? If not, carrying out an information audit will help identify areas for reform;
- Privacy notices: check your current privacy notices (the statement that describes what you use data for), do they meet GDPR requirements? Remember they should be kept under continuous review and updated when something changes;
- Rights: ensure that your procedures cover all the rights of an individual, including how data would be provided in response to a request or how you might action a request for erasure;
- Gathering consent: does how you gather and record consent comply with the GDPR?
- Information for children: storing information on children requires parental or guardian consent, have you put in place adequate verification of individuals’ ages to facilitate the proper consent procedure?
Put simply: don’t panic.
Yes, the demands and requirements are high. Ensuring all policies relating to data protection are at least current is a good starting point, followed by an audit of your data, which we can help you with. Going forward, you should be looking to ensure that any new business contracts you enter into contain appropriate compliant data clauses, and any existing contracts are amended.
Our Commercial team is available to help.
Our legal advice and training is pragmatic and commercially focused. We will always look to apply the law to specific practical situations wherever possible to help make subject matter understandable and digestible by non-legal professionals.
We work alongside our clients to formulate bespoke advice to fit their needs, as this makes sure we add the ultimate amount of value and knowledge for the time being given.