In April 2016, the government announced that there were to be extensive changes happening to the rules and regulations around data protection: the General Data Protection Regulation (GDPR). This will replace the previous rulings under the Data Protection Act and is the most significant overhaul of the laws surrounding data protection for over 20 years.
These new rules will be enforced from 25th May 2018, and they will apply whether we’re still a part of the EU or not, so Brexit or no Brexit, you’ll need to make sure you’re familiar with the new regulations. And be aware – the penalties for failing to comply are pretty hefty, so you won’t want to be caught out.
NB: As the GDPR doesn’t become law until May 2018, the specifics of it are still subject to change. We would recommend that you check all facts and required actions by visiting http://www.eugdpr.org/ , http://www.eugdpr.org/key-changes.html and / or https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
What data are we talking about, and who does this apply to?
The data in question relates to the information companies hold about their customers and essentially encompasses any information that makes it possible to identify someone, from names and addresses to IP addresses or a wide range of socio-economic factors. The parameters have been widened since the Data Protection Act that most UK businesses currently abide by; so it is worth finding out exactly what data is included so you can make sure your processes are watertight.
GDPR applies to any and every business operating within the EU that handles or processes any form of customer data. So, pretty much every business.
What the penalties?
That will depend on the severity of the case in question – but fines can reach €20m, or 4% of a company’s annual revenue, whichever is the higher figure. For less serious cases, the fine might “only” be €10m, or 2% of turnover, again whichever is higher. Currently, the maximum fine is £500,000 – you can see how much more severe the new penalties are, and we doubt anyone wants to lose that much money! Which is really why we’re making sure you know about it in time to make the changes you need to make.
The key principles
Article 5 specifies that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary
- kept securely.
It also sets out the rights that people have relating to their personal data, which includes:
- Being informed
- Having access
- The right to rectification
- Entitlement to erasure
- Restriction of possession
- Data portability
- The right to object
- Plus rights in relation to automated decision making and profiling.
It will be up to each company to ensure they can prove that they have complied with the regulations fully; any business which cannot, could be liable to penalties.
What should you be doing about it?
Fortunately, there are several steps you can take to stay ahead of the deadline, but do remember to keep checking the sites above so that you know your information is the most current and accurate it can be. Check the links we have provided (above and below) to see all the official recommendations.
You might want to consider a full audit of your current processes around data acquisition, handling and storage so you know exactly what your current situation is, and what might need changing. You will probably want to implement some staff training, and ensure you conduct a thorough review of HR policies.
You need to make sure you have the right documentation procedures in place; it may be worth appointing someone in your organisation to head this up, to review and improve security features and minimise the amount of data you are collecting. You need to explain to your customers what data you hold and how you intend to use it, and – crucially – you need to get their written consent to do this. If the data will be handed to any third parties, that needs to be explained clearly too.
One of the simplest, yet most critical steps you can take is to get in touch with everyone on your email database and get them to confirm that they’re happy for you to keep emailing them. If you don’t have their explicit consent, you can’t contact them further under the new rules; and if you do, you could be liable to be charged a hefty fine.
What will WE be doing about it?
All of the above! Over the coming months we will be spring cleaning our databases and making sure all our clients and suppliers are happy for us to keep in touch by email. We need your help with this – so when we get in touch, please remember to confirm your acceptance so we can keep in touch with you. We will also be making double, triple sure we’re compliant with every detail in the new regulations, and we’ll be encouraging you all to do the same.
In line with the GDPR requirement around “Privacy by design,” we will also be looking at ways to incorporate the new regulations into any CRM-related modules or applications that we develop, with the aim of making our customers’ lives easier, but please bear in mind that the responsibility for proper and correct data management will always lie with each individual business, so we cannot overstate the importance of familiarising yourselves with the requirements – sooner rather than later!
For more information please visit http://www.eugdpr.org/ (particularly http://www.eugdpr.org/key-changes.html ) and / or https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/