How To Avoid a €20 Million Fine With New Data Laws (GDPR)
Are you feeling confused about the EU’s new GDPR requirements and what they’ll mean for your business?
Maybe you’re not even 100% sure of what it is, or if it even applies to you. In which case, you’re probably going to need to sit down for this.
With the news that only a fifth of UK businesses are prepared for when the EU’s General Data Protection Regulation comes into force in May 25th 2018, a lot of businesses may end up facing harsh fines, which is why it’s vital to ensure this information is made readily available for everyone to get up to speed as soon as possible.
Why? Well, if you’re not GDPR compliant by the date above, you’ll face heavy penalties of up to either 4% of your global annual turnover, or €20 million – whichever is greater.
And if that doesn’t put the fear into any business, I honestly don’t know what will! (Despite another recent study by Symantec showing startling results that that 23% of businesses feel they won’t be fully compliant by May.)
Which is why, as an experienced digital marketer, I don’t want you to get caught out. I’ve put together this blog post to discuss how GDPR affects you, and what you should be doing to prepare for it.
This post will cover:
- What GDPR is and why it’s being introduced
- How it will affect businesses in the UK
- Initial preparations for how you can stay compliant
What is GDPR anyway?
GDPR (or the General Data Protection Regulation) is a new European privacy regulation, which is set to be implemented in all local privacy laws across all countries in the EU and EEA. It applies to any businesses or companies that sell products or services to – and store personal information of – citizens in Europe.
And as long as you fall into the definition above, it doesn’t matter whether you’re located within Europe, or anywhere else in the world. This law still applies to you.
This new legislation is being introduced to give citizens of the EU and EEA more power when it comes to their personal data, and how it’s used. This applies to individuals, customers, prospects, contractors and employees in terms of control over their personal data. It also aims to take some power away from large organisations that use this data to make a profit.
It sets out to provide reassurance that their data is protected, secure and in safe hands at all times. This personal data could apply to any information related to an individual, including their name, email address, photo, social media updates – even a computer IP address, according to the GDPR Directive.
Under the GDPR, there’s also no distinction between personal data within a work environment, compared to a private or public environment.
Feeling a bit bamboozled yet?
How will it affect you?
Once GDPR is introduced, the responsibility will fall on you to ensure you’re compliant. Companies and organisations who don’t comply with GDPR will face potentially very hefty fines, up to €20 million – or even more.
This applies to any business or organisation that offers goods and/or services to EU citizens. And that’s whether your business is in the EU or not – even the data processing itself doesn’t have to take place within the EU for the onus to be on you.
There are eight key rights for individuals under the GDPR that I really want to mention here – including what you’ll need to do to comply with these rights:
1. The right to access
As in, the right to access their personal data at any time. They can also ask how this data is being used by a company or business after they’ve given it. You must be able to answer this fully and honestly. You should also be able to provide the individual with a copy of their personal data. This should be free of charge, and in electronic format – if they request this.
2. The right to be forgotten
If an individual is no longer a customer, or if they take back their consent to use their personal data, they have the right for that data to be permanently deleted and no longer accessible in any form. Holding onto it for any reason will violate this law.
3. The right to data portability
Individuals will have the right to transfer their data between different service providers. This must be done in a way that’s commonly-used, easily accessed and in a machine-readable format. You must be prepared to do this upon request.
4. The right to be informed
Essentially, this applies to any data gathering by companies or businesses. You must inform individuals before you gather their data, and they will have the right to opt into this. Consent must be freely given instead of simply implied.
5. The right to have information corrected
Individuals will have the right to make sure their data is up-to-date and correct at any given time. You must be prepared to access and update this information as and when requested to do so.
6. The right to restrict processing
Individuals have the right to request that their data should not be used for processing. They can choose to keep their record in place, but for it to remain unused.
7. The right to object
This applies to direct marketing, and gives individuals the right to put a stop to having their data processed for this use. Processing must stop immediately upon receipt of this request. You must also make this right clear to individuals at the beginning of any communication.
8. The right to be notified
In the event of a data breach that results in compromising the personal data of an individual, you must inform the individual within 72 hours of becoming aware of it.
This is what you need to do to be GDPR compliant
GDPR has huge implications for most companies and businesses currently based in the UK – and beyond. Which is why it’s vital you start thinking about your processes now, and keep up-to-date with the latest GDPR news to ensure you’re fully compliant by May.
It’s recommended that all businesses that work with, collect, store and/or use personal data should designate someone in your team as a data protection officer or data controller in charge of GDPR compliance.
The ICO have highlighted 12 steps you should be taking right now to ensure you’re prepared for May 2018. Here’s a brief summary:
- Ensure key decision makers in your business are aware of GDPR and its impact
- Document the data you hold, its origin, and who it’s shared with. An information audit may be a good step
- Ensure your current procedures allow you to fully comply with the individuals’ rights outlined above – are you able to send personal data electronically, on-demand?
- Carefully plan for how you can update your procedures to ensure you can handle requests regarding personal data within the relevant timescales
- Carefully consider how you ask for, record and store consent in terms of collecting personal data – you may need to make some changes for compliance. Consent forms must also be stored, as the burden of proof will fall to you
- Decide whether you’ll need systems in place to verify the age of individuals and whether you need to obtain consent from a guardian
- Begin taking steps to ensure you have the right procedures in place to deal with any breaches in data (this includes detecting, reporting and investigating breaches)
- Read up on the ICO’s code of code of practice on Privacy Impact Assessments, along with the latest guidance from Article 29 Working Party, and how/when you should implement these in your business
- Determine whether you need to formally appoint a Data Protection Officer. Consider how this fits in with your business’s structure and governance arrangements (if applicable)
- For businesses operating in more than one EU member state, find out your lead data protection supervisory authority. Refer to Article 29 guidelines for help and guidance
If you follow the above steps (or the ones that apply to you), this should go some way to preparing you for when the new legislation comes into effect in May.
Advice from an experienced digital marketer
Don’t panic. There’s plenty of time you ensure you become GDPR compliant before May 2018. In the meantime, I recommend keeping up-to-date with the latest news and tips on GDPR compliance. I’ve highlighted some key resources below to get you started.
SuperOffice have a good example of how to begin collecting personal data in future:
Key GDPR resources to keep bookmarked
- ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR) – ’12 Steps to Take Now’.
- The Full law text: GDPR, dated April 27th 2016
- European Commission Fact Sheet
- DMA UK: All the latest news, updates and webinars relating to GDPR
- Protection of Personal Data (via the European Commission)
Your next steps
Now is a good time to review how your business currently deals with customers’ personal data. And start thinking about the steps you can take now to become GDPR compliant. This may include running re-permissioning campaigns if you have an email list already.
Bookmark the above links, and ensure you stay notified about the latest updates and developments concerning GDPR. It may be worth designating someone in your business to be responsible for ensuring you’re fully GDPR compliant when the new law comes into effect next year.
Do you have any specific questions about GDPR? Let me know in the comments’ section. I’ll reply with something helpful!