From the 25th May 2018, data-protection is going to become more important than ever before.
GDPR (General Data Protection Regulation) is a new EU-wide directive that comes into force on this date. Anyone caught not playing by the rules could soon find themselves in hot water.
The bottom line: Your organisation must be able to demonstrate that good data protection is a cornerstone of your businesses’ policies and practices.
If you fail to do so, you are exposing your organisation to significant reputational risk and enforcement action that could result in unprecedented fines.
With that in mind, we’ve created a list of 9 essential things you need to know about GDPR to inform your preparation. After all, failing to prepare is preparing to fail, as the saying goes.
Stiffer penalties for poor data handling practices
Headlines like ‘Will GDPR Bankrupt Your Business’ (http://www.bbc.co.uk/news/business-40441434) are hardly going to instill much joy at the prospect of GDPR coming into force.
However, the bigger fines for non-compliance are potentially huge. 20 million Euros or 4% of global turnover, whichever is greater, should leave you in no doubt that GDPR is to be taken very seriously indeed. In the above article, electronic financial transaction specialist, Consult Hyperion, are forecasting that EU financial institutions alone will be facing fines of up to £4.1 billion in the first 3 years of GDPR coming into force. For Fintech and Intech, the implications couldn’t be starker.
If you are reading this it probably affects you
Does your organisation handle personal data of EU citizens? Do you contract other businesses or organisations to handle personal data of EU citizens?
If the answer is yes, then you are liable as either a ‘controller’ or ‘processor’ of data and you need to be preparing for GDPR now.
The definition of personal data is changing
It isn’t just about bigger fines. If you are aware of the Data Protection Act, 1998 then you should also be aware that new rules are making the definition of personal data far more rigorous in scope.
Under GDPR, personal data now includes IP Addresses and Pseudonymised Data as well as anything under the DPA, 1998.
Rules around Consent are getting tougher
In the past, gaining consent was a relatively straightforward process. We’ve all seen the warning at the top our screens that says: ‘By using this site you are agreeing to xyz…’ but no more.
Here are 4 things you should know about consent:
1. Consent cannot be given by a pre-ticked opt-in box on your site
2. You must make it very easy and straightforward for people to withdraw consent
3. Use clear and plain language when explaining consent to users
4. If you already have consent from users, you’ll need to make sure it passes the above tests or it will be deemed invalid. You should be checking this now and evaluating whether you need to ask them again
Brexit isn’t going to save UK businesses from this EU law
Regardless of what happens with Brexit over the coming years, GDPR will have a major effect on UK businesses.
Don’t forget, any organisation handling EU citizens’ data will be liable, whether they are registered in Frankfurt, London or San Francisco.
So, if your organisation supplies goods or services to EU Citizens (and don’t forget that includes all Brits until at least March 2019, and quite possibly beyond) then GDPR affects you.
GDPR is all about the rights of the individual
We’ve known for a long time that big data is a valuable commodity. GDPR is the EU fully recognising this fact as it seeks to improve trust it the emerging digital economy.
Here are 8 things that individuals have the right to under GDPR:
1. The right to access – the right to request access to your personal data and to ask how your data is being used by the company. The company must provide a copy of the personal data, free of charge and in electronic format if requested
2. The right to be forgotten – the right to withdraw consent from a company to use their personal data and to have that data deleted
3. The right to data portability – the right to transfer personal data from one service provider to another. This must happen in a commonly used and machine-readable format
4. The right to be informed – the right to be informed before data is gathered. Consumers must opt in for their data to be gathered, and consent must be freely given rather than implied
5. The right to have information corrected – the right to have your data updated if it is out of date or incomplete or incorrect
6. The right to restrict processing – the right to request that your data is not used for processing. A record can remain in place, but not be used.
7. The right to object – this includes the right to stop the processing of your data for direct marketing. This right must be made clear to you at the start of any communication.
8. The right to be notified – the right to be notified of any data breach that compromises your personal data within 72 hours of the company first becoming aware of the breach.
You may need to employ a Data Protection Officer
A DPO will can be a member of staff (must be of appropriate level with recognised training); an externally sourced DPO; or one shared by a group of organisations.
You’ll need a DPO if you fall under one of the following criteria:
1. A public body, including government departments
2. An organisation whose core activities consist of data processing operations
3. An organisation whose activities include processing special categories of data such as health records or criminal convictions
GDPR, combined with the growth of cyber-attacks, makes security vital
It’s unfortunate for business but there’s no getting away from it; with hacking on the increase and GDPR coming into play, your cyber-security has never been more vital.
If you get hacked you’ll need to be able to demonstrate that you took all reasonable steps to protect your users’ data. You should be conducting a security review of your digital assets now.
If you’re feeling unprepared, you are not alone!
Unsurprisingly, many organisations are feeling slightly unprepared for GDPR. A recent poll found that fewer than half of all IT Security professionals are actively preparing for GDPR and that 28% were ignorant of any preparations being made by their company at all.
Speaking to the BBC, Mark Thompson of KPMG says:
“Many businesses have no idea what to do and don’t want to grasp the nettle…there’s a lot of misinformation and panic around at the moment, but if businesses don’t take responsibility for this at board level they will fail.” “This will affect every part their business.”
Are you factoring in GDPR as part of your digital strategy?
The above is just a brief overview of what is coming our way in May 2018. Anyone planning a digital build or marketing project for 2018 and beyond needs to be thinking about GDPR and how it is going to affect both your current business activity, as well as any sales and marketing plans moving forward.
A good GDPR strategy is vital for every business and marketing team. If you are concerned about how GDPR may affect your current and future digital strategy, book an appointment to speak to one of our team today. We can help you navigate this complex process and find ways to turn these challenges into marketing opportunities.
GDPR is particularly important for organisiations in the financial services sector – Blaze works closely with businesses across this sector and can provide support and insight into integrating GDPR activity into marketing strategies and campaigns.
Find out more about Blaze Financial Services Marketing, here >