As you may be aware, from the 25th May 2018 the EU's General Data Protection Regulation (GDPR) will be changing the way organisations deal with personal data. So with the clock ticking, let’s take a look at the new directive, the financial implications and how they could affect your business.
For a small number of businesses, getting ready for GDPR will be a relatively straight forward job. However for the majority, the new regulations will lead to a complete rethink in the way a company stores and collects critical data. Understandably, some businesses are too busy to introduce a compliant data collection process. However many are simply ignoring the fact the new GDPR directive is almost upon us.
The consequences of not being ready and failing to comply with the new regulations could result in your business receiving a hefty fine. Therefore it’s crucial you take the time to prepare.
So to help your business get ready, here’s our comprehensive guide to GDPR and what you need do to comply with the new regulations.
From May 2018, GDPR will not only give EU citizens more control over their personal identifiable information (PII), but hold companies who collect and store any personal data accountable if things go wrong.
As a result organisations will no longer be able to collect a European citizen’s data without telling an individual why they need it or what they intend to do with it. So from May 2018, if an organisation uses the data for any other reason than stated or is subject to a data breach, the company could be liable for a big fine.
The GDPR directive defines personal identifiable information as anything which could identify an individual. This includes a person’s name and address, email contact, bank account details and even their IP address.
Plus with Brexit on the horizon, it is highly anticipated the UK government will include the new directive within any revised regulations.
1. Before, EU citizens had the right to ask a company to delete their information. The GDPR takes this one step further and ensures that the data must also be removed from all third parties it has been shared with, therefore completely erasing the data from the system.
2. Individuals will also be able to exercise their right to be forgotten by an organisation. This means any data which is held on file must be removed from a company’s records at the request of the individual. This is to ensure an individual is not approached or solicited by the company again without the prior permission of the relevant consumer.
3. Any company that collects, handles and stores data must now keep comprehensive records of their data processing systems. Including how they are using the data and how long they intend on keeping it. Upon request, this information must be readily available to the appropriate data protection authorities.
4. Before, asking permission once was enough to cover all uses of a customers information. However from May 2018, companies will need to ask permission for each action they intend to use the personally identifiable data for.
5. An individual can now request a business to send all the data they hold on them at no charge.
Any data loss, breach, access, alteration and destruction could now result in huge financial consequences to your business.
Under the current Data Protection Act only certain bodies and organisations have been liable for reporting breaches of their data to the ICO (Information Commissioner’s Office), with a maximum fine of £500,000 being applied.
From May 2018, any data breach which is likely to have a significant detrimental effect on an individual or leave them open to identity theft, must be reported. With GDPR you will be required to report any breach within 72 hours of the incident being identified.
Unlike the Data Protection Act fine, the new GDPR could result in significant fines of up to €20million Euros or up to 4% of an organisations global turnover.
On your website, you may have number of data collection features. Therefore if you are asking for information such as name, address or email, the way you handle this data will need to comply with the new GDPR directive.
As a result, if you utilise email marketing, this activity will be affected. If you run an e-commerce site, the way your customers input payment data will be affected. In other words, the majority of businesses will be affected by the new regulations.
1. The first thing you should do to prepare for the changes is to gain a full understanding of what the regulation is and how it will affect your business. 14% of small businesses revealed that they don’t know what the GDPR is. To prevent any issues, it’s important your whole business understands.
2. You, or someone who has expert knowledge of the new GDPR regulation, needs to review your current systems. Then establish which aspects of your data management system does not comply with the new regulations. This exercise may only result in a couple of tweaks, however you might find you need to completely re-work the way you manage and handle data.
3. Everyone in your business needs to be aware or, and understand the new regulations. By educating your staff, you are ensuring the new rules will be followed and the chance of a breach is reduced.
4. Review your website. Any customer data collection points must clearly state what the harvested information will be used for. Therefore anyone who fills in an enquiry form on your website shouldn’t expect to end up on your company emailing list, unless it’s clearly specified. If they do, this is a breach of their personal data, and could result in your business being fined.
The new GDPR directive isn’t something to be scared of, as its there to help protect both businesses and consumers. Yet it might seem like a lot of work now, but by putting the right data management systems in place, you are not only protecting your customers but also your business.
So there you have it. The sooner your business gets on board with the new GDPR directive, the easier it will be for you in May.