Disclaimer: This blog is not, and should not be taken as, legal advice. Instead, it aims to provide you with information about what GDPR means for your business to prepare you for what to expect. You can find full information on GDPR on the ICO website.
You may have heard (increasingly in the last few weeks, as the deadline draws near) about something called GDPR. The European General Data Protection Regulation (GDPR for short) is a new law which will take effect throughout the entire EU from 25th May 2018. But it’s not just for companies based in the EU: any company handling personal data on EU residents must also comply.
So, even though the UK is leaving the EU in 2019, if your business handles EU residents’ data, you’ll most likely need to change the way you collect, store and use that data, or risk heavy fines. And in fact, the UK government put forward a new Data Protection Bill in August 2017, which aligns with GDPR, but would be part of UK legislation. So it’s something that needs to be done, however you look at it.
Despite the looming deadline, a government study from January 2018 found that only 25% of businesses that were aware of GDPR had actually made any changes.
So, unless you want to be in that remaining 75% when the 25th May rolls round, you need to figure out, what does GDPR actually mean for your business? What do you need to do to ensure you’re compliant by the deadline? And why do we need GDPR in the first place? Read on to find out more…
GDPR Explained: What Is GDPR and Why Do We Need It?
GDPR is an EU-wide law that aims to give people more control over how their personal data is used by businesses and organisations. Personal data means anything that leads to the identification of a person, such as name, location, bank details, online identifiers and health data.
It will replace the Data Protection Act 1998 in the UK, but, across the EU, will ensure that data protection law is as consistent as it can be.
GDPR was created because the way that businesses and organisations use data has changed. We all surrender our data (fairly) willingly to companies such as Facebook, Google, Apple and many others. We’ve seen from recent scandals that some organisations have been less-than-transparent (and in many cases outright unethical) in the way they’ve collected, stored and used people’s data. Personal data is valuable and therefore vulnerable to abuse and theft, so something had to be done to safeguard consumer privacy.
As such, GDPR will clarify for organisations what they can and can’t do legally with regard to customer data, while for users it will give them greater control over how their data is used. Users must activity consent to their data being collected or to being opted in (so no more pre-ticked boxes!). And if a business wants to then use data they have collected for any other purpose than the one originally stated, they need to get additional permission from the user.
How GDPR Will Affect Businesses – Roles and Responsibilities
The GDPR focuses on responsibilities within individual roles, defined as “data subject” (the user, owns the data), “data controller” (decides how data is collected, stored and processed) and “data processor” (actually handles and processes the data based on instructions from the data controller).
The data controller and data processor will have several responsibilities with regard to GDPR, including being accountable for any security breaches, reporting any breaches, keeping meticulous records of data collected and any breaches and risk assessment. The data subject, meanwhile, has more rights under GDPR than previously, including the right to have data removed or transferred and the right to object to how data is used.
The data controller and data processor will be jointly liable for compliance failures. In addition, certain businesses will need to appoint qualified Data Protection Officers to oversee the data collection process and monitor compliance. However, this does not apply to all businesses, only those whose core activities involve “regular or systematic” large-scale monitoring of Data Subjects, or large volumes of “sensitive” data (e.g. race, ethnic origin, religious beliefs or political opinions – more info here).
GDPR Key Changes: What Does My Business Need to Do to Comply?
If you’ve not already started taking action, you need to, now. Here is a list of actions that you need to take to ensure that you’re compliant
- Document everything data-related: what data you’re holding, where it came from, where it’s kept, who you share it with and why it was collected (and whether this is still relevant). Make sure you know whether you’re relying on consent as a legal basis for processing data, and if so, when it was given and how. Marketing activity, for example, will rely on consent, so this will be trickier under GDPR.
- Get your team in place: make sure your team are fully aware of their roles under GDPR. Who are your data processors? And your data controllers? Document everything, and train your employees to understand what constitutes a data breach, to report them when they occur and to use any new processes put into place. If you need to, appoint a Data Protection Officer.
- Be prepared to honour data requests: users can request to know what data you have on them, and what it’s used for. They can also request that you delete, move, or amend their data. If your processes and systems don’t allow this now, they will need to, and within a one-month time frame of the request. This free online form makes it fairly easy – just replace yourcompany in the URL with your actual domain name, fill out the fields as required, and you can create your own GDPR request form.
- Make sure you’re ready for data breaches: data breaches must be reported to your data protection authority within 72 hours of becoming aware of it. Your processes must allow for this.
- Look at suppliers and contractors: Are they GDPR-compliant? If not, this may affect you down the line. You may need to update contracts (e.g. around notification of data breaches), so
This online GDPR checklist gives more detail on each of these, and also shows whose responsibility these actions are (data processor, data controller, or both).
What Does GDPR Mean for Marketing?
If your company does any form of marketing, you’ll know that data is everything, so GDPR will have a huge impact on the way you carry out your marketing activity in future.
In marketing, data lets you track customer behaviour on your website, to tailor ads, email marketing and content based on browsing habits, purchases or interests, to predict how customers are going to behave and a whole host of other uses that enable you to build your brand, grow sales and your relationships with your customers.
As previously mentioned, the data subject (user) will need to explicitly opt in to allow their data to be processed. By the same token, they can also withhold consent for data to be used, however this must not be a barrier to them using your products or services.
So, what’s going to change for marketers? How will GDPR affect your marketing? Here are some things for you to consider:
- Opt-ins and email marketing – customers and leads must confirm that they want to be contacted by you. You can’t just automatically add users to mailing lists any more, and as mentioned above, pre-ticked boxes and opt-outs are not GDPR-compliant.
- Marketing automation – here’s an example of why your record-keeping needs to be absolutely meticulous – you don’t want to send an automated email to anyone who’s opted out, for instance; this could land you in hot water. So keep your mailing list up to date and ensure you’re only sending automated emails to those who’ve consented.
- “Refer a Friend” programmes – as long as the referee’s data is not stored and (beyond the initial email) they are not contacted – unless they opt in – with promotional material, then there is no problem.
- Right to be forgotten – this means that data subjects have the right to have data removed. So, make it easy for customers to unsubscribe from emails, and to contact you to remove or amend data.
- Data collected – you can still collect the data you need, you just have to explicitly state why you need it and what it will be used for. So, in practice, this is likely to mean that you become more focused on the data you really need, which can only be a good thing!
- Content – GDPR is a great opportunity for content marketers. Create valuable content that users can access by sharing personal information. Give them the incentive to opt in, and show that you’re worth it when they do!
What Happens if My Business Doesn’t Comply with GDPR by the Deadline?
If you do not comply, you risk a fine. At the moment, the ICO can fine up to £500,000 for data breaches, but under GDPR, this could be in excess of £10 million (or 2% of turnover, whichever is higher) for failure to comply, or £20 million (or 4% of turnover, again whichever is higher) for an actual data breach.
If you can show evidence that you’ve attempted to comply, then fines are unlikely to be as harsh, but if you make no effort, then you need to be prepared to accept a harsh penalty.
GDPR will affect your business, there is no doubt about that. But don’t despair: while it might seem a bit vague, confusing and overwhelming, what it really boils down to is being clearer, both with your customers and with yourself, about what data you’re collecting, why you’re collecting it, and how you’re using it.
If you’re doing this already, or starting to, then you’re on the right track. If you haven’t started yet, there’s still time before the 25th May rollout, so what are you waiting for?