All businesses in the EU will be affected by the new General Data Protection Regulation that is set to come into force on 25th May 2018. Many are still confused about how it will affect them, and with hefty fines on the horizon, it pays to make sure you are fully compliant.
What is the GDPR?
The whole idea behind the new Data Protection Act (replacing and improving on the former 1998 Act) is to give citizens or ‘data subjects’ more control over how personal data is used by businesses or ‘data controllers’.
Personal information is anything that can identify you as an individual, including any financial, health-related, political, religious, sexual orientation and ethnicity. Any data controller that handles this data must comply with the new regulations.
A Data Protection Officer will have to be appointed within your company, and will be responsible for reporting any data losses to the ICO (Information Commissioner’s Office) within a 72-hour window of the breach. As a business owner you have a of duty of care to inform the individual that their data is lost and should be done in line with the report to the ICO.
The core of GDPR is obtaining a data subject’s consent to be able to use their data for anything other than the specific purpose that your business will use the data for.
Marketing is a key element of consent, and all businesses need to obtain prior written consent from all individuals before sending any unsolicited messages. This includes any existing individuals on file.
If consent is not obtained, you must immediately delete or ‘anonymise’ any data that is held relating to that individual data subject.
The fines reflect how seriously the new act must be taken. Potential fines can be as high as €20million or 4% of the companies’ annual turnover (whichever is the greater value).
However, since the announcement of the GDPR, the Information Commissioner’s Office have attempted to downgrade the full value of the fines to around €1- 2 million, depending on the severity of the data loss.
After the law has come into effect, and even after we leave the EU in 2019, all businesses will have to comply as the act will still protect the data of all EU citizens.
The UK Parliament will be bringing in their own version of the act once we have officially exited as we were one of the biggest supporters of the act from its inception.
How to implement GDPR in practice
First port of call is to review how you currently obtain personal data and seek consent for all your clients and individuals you deal with.
Go through any old client lists and ensure you contact them in the first instance to obtain their permission to continue to contact them with related services or marketing.
Consider your approach under the new guidelines and how your business would handle a data breach. Look at your security and have a look at your systems, are they up to scratch? Will they be able to handle and help your business comply?
At the time of writing, the act is still going through Parliament and is not due to be finalised until much closer to the deadline of 25th May 2018, so keep an eye out for any last-minute changes.