General Data Protection Regulation (GDPR)
On 25th May 2018, the General Data Protection Regulation (GDPR) will finally come into effect after years of discussion. GDPR will bring about a full overhaul of how companies must use data. Businesses must be able to state what data is being used for and why they have it. Furthermore, businesses must gain clear and explicit consent to send communications. No longer can companies hide behind terms and conditions filled with jargon. Consent must be gained using clear, plain language. Also, it must be as easy to withdraw consent as it is to give it. It seems fitting that today we publish this advice piece, with exactly one month to go until GDPR is implemented.
‘One month?!’ might be the reaction of some, but please do not worry. There are steps that can be taken to ensure you and your business are fully GDPR compliant by the time 25th May rolls around.
What to expect
Even with just a month to go until GDPR is implemented in the EU, businesses are still only just waking up to the new obligations. Shockingly, in a survey of 1,100 EU based executives, 40% admitted to not knowing the new rules under GDPR even fairly well. It is of upmost importance that the rules are understood. For a detailed overview, click here.
It has been stated that the penalties imposed for breach of GDPR can and will be heavy. In serious infringements, fines may be as high as 4% of annual global revenue. There is apparently no grace period in which fines won’t be imposed. However, it is believed that the Information Commissioners Office (ICO) will look kindly on businesses that can demonstrate they are putting appropriate systems and thinking into place. Therefore, ignorance is not a defence, but if organisations can show they are seriously planning ahead, some leeway will likely be given.
With GDPR imminent, all business owners should be asking themselves the following key questions:
- What personal data do we have?
- Where is the data stored? (country/system)
- On what legal basis are we entitled to have this data?
- Should we be keeping it (i.e. has enough time passed now that it should be erased?)
With these in mind, it is also vital to remember the consent component when sending communications. Ask yourself, have you received clear and explicit consent to contact those in your target audience? Ensure that before GDPR comes into effect, you contact your customers to gain this consent.
Moreover, it is important to remember that the regulations do not only apply to digital data, paper data will also be affected.
Plan, plan and plan again
Ultimately, a plan of action must be produced and maintained for all businesses that will be affected by GDPR. The fines are pricey and the penalties not worth the damage to your organisation if you remain non-compliant. Please ensure that you are thinking ahead and referring to those key questions in the run up to 25th May. It has been said by those heading GDPR that there will likely be two or three years of regulatory interpretation and penalties before we can know the full impact of the new rules. Therefore, it is a learning curve for those within the ICO and those who must apply by their rules.
Do not fear – simply lay out and maintain your plan of action, ensure you are up to speed with the rules and remain vigilant. After all, 25th May is just around the corner.
How this affects our clients
As discussed, soon we won’t be able to send you important information about our work, or update you on business and money matters without your express permission. Because we want our relationship with you to be built on trust and understanding.
Giving your permission is quick and simple. In order for you to receive communication from us please “opt-in”.
If you have any queries, contact us on 0800 020 9542 or drop us a line firstname.lastname@example.org .