The General Data Protection Regulation (GDPR) is finally with us. As of 25 May 2018, the GDPR lays down a whole new framework for data protection right across the EU – including the UK.
The GDPR sets out new and enhanced rights for individuals, designed to give them greater control over what happens to their data. Linked to this, in areas such as data security, transparency and record keeping, it also introduces some important new rules, and changes to old ones, for businesses and other organisations to get to grips with. In short, it does affect your business.
GDPR is everyone’s business
As recently as March of this year, the Financial Times reported that fewer than one in 10 small UK businesses were ready for GDPR. Meanwhile, with just two weeks to go, a poll of Britain’s Institute of Directors suggested that only six in 10 members were going to be fully compliant in time for the implementation date.
For many organisations, competing business priorities may have left them preparing for the new law a lot later in the day than they would have liked. If your business falls into this category, our last-minute guide, “What to do if you have not prepared for the GDPR”, should make for useful reading.
There will also be some organisations who still think that GDPR is only for the Amazons and Facebooks of this world and that somehow, “GDPR isn’t really for the likes of us”.
Here’s the reality: if you handle “personal data”, then GDPR is your business. This includes the data of customers, employees, supporters, club members, patients and pupils (to name just a few).
From the niche B2B consultancy with practically no Web presence – to the big online retailer, the GDPR will have an impact on the way you do business. Here’s a closer look at some of the key areas where the new law will make an impact – and how to absorb that impact to ensure “business as usual”.
Sanctions for non-compliance: the GDPR impact you want to avoid
Ignoring GDPR risks exposes your business to a range of penalties. These include fines levied by the regulator (GDPR sees an increase in the upper limits for these fines). More likely, you could find yourself at the sharp end of an investigation, possibly followed up with a formal order, requiring you to make the changes necessary to abide by the rules.
You can read more about GDPR penalties here, but just remember that any form of official intervention can mean disruption, expense and can cause severe damage to your reputation in the minds of customers.
By taking the GDPR seriously and ensuring that no aspect of it gets overlooked, you avoid sleepwalking towards non-compliance and the very real business risks that this raises.
Your core product offerings
To do business, certain forms of personal data processing are an absolute necessity. The customer’s name, card details, contact information, address for delivery: you need to process all of this for the sale to go ahead.
So let’s say you run a very simple business model. The personal data you handle or store is confined to what’s absolutely necessary for the sale to go ahead. Even here, there are still some important GDPR-related obligations to consider. Notably:
- Storage limitation. In other words, making sure that you don’t retain data for longer than required.
- Integrity & confidentiality. What measures do you have in place to ensure that the data is secure while under your control? Read our article on data security for more information about appropriate levels of protection against data breaches.
- Transparency. You need to explain to data subjects why you need their data – and what it will be used for. Our guide to privacy policies helps you get to grips with this.
In fact, the core GDPR principles should inform your approach to even the most basic ways you put data to work within your business. You can read more about these principles here.
What does this company know about me? How do I get copies of my records? As publicity about the GDPR increases, businesses could see a boost in the volume of data-related queries from customers. Your customer service staff could find themselves at the brunt of such requests.
Failure to respond to a subject access request opens up the possibility of formal complaints from customers and regulatory sanctions. Read up on SARs here – and right now, make sure your people know how to spot such requests if and when they arrive.
In most instances, for marketing communications businesses need to ensure that they have valid consents in place to continue contacting customers and processing personal data for marketing purposes. That said, the deputy information commissioner has just flagged up the fact that some businesses are going overboard in this area. Customers’ inboxes are getting clogged up with consent-related emails, many of which may be uncalled for.
By way of clarity:
- If you already have positively opted-in consent from a contact covering marketing communications, you generally won’t require a fresh consent at this stage.
- If you have contacts on your list where there’s no record of any form of prior consent available – and especially where there’s no record of how you obtained those contacts’ details in the first place, it would probably be unlawful and inappropriate even to seek fresh consents. Such contacts almost certainly need to be deleted from your list.
- The GDPR makes it clear that consents should be capable of being easily withdrawn at any time. If it’s not there already, make sure that an unsubscribe button/link is included on all marketing emails from now on in.
Similar to the previous Data Protection Act, the GDPR stipulates that organisations are under a duty to take “appropriate” steps to ensure personal data is safeguarded. Providing that you already stress-test your data estate, keep up with the state-of-the-art when it comes to security and consistently train your workforce staff, the GDPR shouldn’t require an overhaul of existing systems.
The big changes are linked to reporting and record keeping. The GDPR requires you to maintain an internal register of all data security breaches. You are also required to report data security breaches to the regulator where such breaches are likely to result in a “risk to the rights and freedoms of data subjects”. You’ll need a template and procedure to follow in the event of a security incident occurring – and our guide to data security takes a closer look at these requirements.
Most of what you hear about the GDPR tends to focus on customer data and relationships. At the same time, don’t overlook the fact that employee data is covered, too. Make sure that HR data is included in your data map – and take a look at our HR & data security guide for further info.
Staying on track from 25 May onwards
GDPR is here to stay and shouldn’t be side lined a couple of months down the line. Ensure your business is protected by regularly training your staff and creating a compliant culture.
For help with all of this – including a complete methodology for keeping on top of compliance, get in touch with The Privacy Compliance Hub experts and try our free demo. For more information on the GDPR and your organisation, explore the rest of our resources here.