By next year, all businesses in the UK will have to comply with General Data Protection Regulation (GDPR). It will dramatically overhaul how company’s collect, process and store data. Businesses must prepare for the changes, as it is a legal framework, replacing the previous 1995 Data Protection Directive. To help navigate this loom minefield, here’s our guide on how to get up to speed with the GDPR.
What is the GDPR exactly?
As of May 2018, explicit consent will have to be given to access the information people give to companies. Under the new rules, companies will no longer be able to use long terms and conditions that don’t inform the reader about consent. Failure to clearly demonstrate consent as outlined in these new guidelines will result in fines. Also, all companies will have to notify data breaches, which must be done within 72 hours of first becoming aware of the hack. The main goal of the new legislation is to strengthen data privacy and the rights of EU citizens online.
How will it work in practice?
Changes under GDPR will impact the way companies work in many ways. A data processing officer (DPO) will be required for all the main activities in regulating and overseeing data. DPOs will be the driving figures behind the fostering of a data protection culture within companies and organisations. Any company that processes personal information will need to appoint or delegate one. Also, Privacy Impact Assessments, which is a tool companies can use to collect data, are going to be made mandatory under the GDPR. The legislation applies to all businesses in the EU and even to non-EU organisations that process any data from EU citizens.
The way marketing activities and data permission are managed are set to change. In practice, companies will have to make sure that a person wants to be contacted by including an opt-in on sign ups. This means that you can no longer assume people want to be contacted. For example, you won’t be able to automatically sign visitors up for emails when they fill out a web form.
The customer must understand what they have consented to, without any hidden details, and companies must tell people they have the right to withdraw their consent. Consent requests must be separate from other terms and conditions, with an explicit action to opt-in. So, consent must be obvious, unbundled and user-friendly. The point is that people must have an ongoing choice for how their data is managed.
How do you prepare your business for GPDR?
Firstly, you need to review your company’s documentation, assess what data you hold, where it came from via an information audit. You should also update any procedures so that they comply with the guidelines. Likewise, any contracts your organisation has with any third parties should be reviewed. Under the GPDR, an individual has the right to request that their data be erased – therefore, the procedure for dealing with such a request must be put in place. This is the case for both employees and customers who use your online services. It’s critical that you make sure you have the right tools to detect a data breach, as well as hiring a DPO.
Also, you need to make sure that all the key figures in your business understand how to process data in the proper way, as the company can be fined otherwise. Fines can be as high as €20 million or four per cent of a company’s global turnover. During your preparation, it’s important know that you must not send emails to your customers asking for consent, as the message itself is marketing. Flyby learned this the hard way when they were fined 70,000 in August 2016 by the ISO for doing just that, but the penalties will be heavier under the GDPR. Please check out our infographic below: