The new GDPR regulations come into effect on 25th May 2018 – is your business ready?
What is GDPR?
GDPR (General Data Protection Regulation) is a set of rules which bring the current data protection rules up to date to cope with the changing landscape in information and data technology. It is an EU mandate which is designed to set a standard for data protection rules for all EU citizens. If you market to individuals within any of the EU states, then you need to be compliant with GDPR.
GDPR gives EU citizens more control over how companies use their personal data. If you run a company from outside of the EU and you deal with individuals within the European single market, then you will need to be compliant.
What does GDPR mean?
GDPR means you have to be competent, and ethical when dealing with data on individuals. You need to get explicit consent for the individual to receive marketing communications – this will mean a ‘double opt-in’ for example, and you have to use the data reasonably. Sending individuals multiple emails will be in breach of GDPR. In the past, you could assume that because someone has not unsubscribed from your newsletter then they’re happy to receive it. From May, this will not be the case.
You need to make sure your data handling systems are secure, with any breaches being reported ASAP to the Information Commissioners Office. You also must have a way of informing individuals whose data has been compromised.
What should we do to be compliant?
First of all, you need to think about how your company already processes and handles data on individuals – whether this is confidential personal records on your employees, to simply emails on a marketing list. You should do an assessment of the data you hold, how it is stored, and how it is used currently.
A top priority is to nominate a Data Protection Officer to take responsibility for data and data compliance. You may legally be obliged to have one, but even if you don’t, having one person to make sure you comply is helpful.
You should update your procedures for subject access requests, which individuals are allowed to make under GDPR.
Going forward, you should assess how you collect data in the future, and how you can manage it better to comply with GDPR.
What if we don’t comply?
The fines under GDPR are much larger than under The Data Protection Act. Big companies potentially can be fined millions of pounds for a serious data breach. Any size company can be fined for non-compliance with GDPR. Of course, this will only happen if there is a data breach or someone makes a complaint against you as a business, but there will be a lot of awareness building on GDPR in 2018 and you need to be careful – if you misuse data in any way, there’s lots of potential for you getting reported and investigated.
Don’t let your lack of action result in a costly fine. We do recommend cutting your business costs where you can, but data compliance isn’t the best area for being tight with resources.
See these links for more information about GDPR and your business…….
GDPR – Everything you need to know
Official advice from the Information Commissioners Office
Speak Your Mind