By next year, all businesses in the UK will have to comply with General Data Protection Regulation (GDPR). It will dramatically overhaul how company’s collect, process and store data. Businesses must prepare for the changes, as it is a legal framework, replacing the previous 1995 Data Protection Directive. To help navigate this loom minefield, here’s our guide on how to get up to speed with the GDPR.
What is the GDPR exactly?
As of May 2018, explicit consent will have to be given to access the information people give to companies. Under the new rules, companies will no longer be able to use long terms and conditions that don’t explicitly inform the user and request their consent clearly. Failure to clearly demonstrate consent as outlined in these new guidelines will result in fines. Also, all companies will have to notify data breaches to the relevant authority within 72 hours of first becoming aware of the breach. The main goal of the new legislation is to strengthen data privacy and the rights of EU citizens online.
How will it work in practice?
Changes under GDPR will impact how companies work in a number of ways. A data processing officer (DPO) will be required for all the main activities in regulating and overseeing data. DPOs will be the driving figures behind the fostering of a data protection culture within companies and organisations. Any company that processes personal information will need to appoint or delegate one. Also, Privacy Impact Assessments, which is a tool companies can use to collect data, are going to be made mandatory under the GDPR. The legislation applies to all businesses in the EU and even to non-EU organisations that process any data from EU citizens.
The way marketing activities and data permission are managed are set to change. In practice, companies will have to make sure that a person wants to be contacted by including an opt-in on sign ups. This means that you can no longer assume people want to be contacted. For example, you won’t be able to automatically sign visitors up for emails when they fill out a web form.
The customer must understand what they have consented to, without any hidden details, and companies must tell people they have the right to withdraw their consent. Consent requests must be separate from other terms and conditions, with an explicit action to opt-in. In short: Consent must be obvious, unbundled and user-friendly. The point is that people must have an ongoing choice for how their data is managed.
How do you prepare your business for GPDR?
Firstly, you need to review your company’s documentation, assess what data you hold, where it came from via an information audit. You should also update any procedures so that they comply with the guidelines. Likewise, any contracts your organisation has with any third parties should be reviewed. Under the GPDR, an individual has the right to request that their data be erased – therefore, the procedure for dealing with such a request must be put in place. This is the case for both employees and customers who use your online services. It’s critical that you make sure you have the right tools to detect a data breach, as well as hiring a DPO.
Also, you need to make sure that all the key figures in your business understand how to process data in the proper way, as the company can be fined otherwise. Fines can be as high as €20 million or four per cent of a company’s global turnover. During your preparation, it’s important know that you must not send emails to your customers asking for consent, as the message itself is marketing. Flyby learned this the hard way when they were fined 70,000 in August 2016 by the ISO for unsolicited communications. The penalties for this type of data breach will be far heavier under the GDPR.
It’s very important you guide your company towards GDPR compliance. Above all, the key things to remember are: you must get valid consent for using personal data; there are a new range of fines and punishments to be aware of; you’ll need to make sure your business/website is asking for consent/permission consistently. Fear not: There’s still time to prepare and keep your company away from fines and ensure further success.