On 25 May 2018, a new era in data protection will begin. This is when new rules around collecting, storing and handling personal data come into effect.
Under the General Data Protection Regulation (GDPR), organisations will need to keep transparent records of how (and when) an individual gives consent to store and use personal data.
Built in, not bolted on
This isn’t just an evolution of the Data Protection Act – it has wider implications for the way that companies operate. It ensures that data is protected by design and default at a very intrinsic level.
Organisations will need to know exactly what personal data they hold and where it is located (on PCs, servers or in the Cloud). They must also have procedures in place to remove it permanently when an EU citizen requests this.
We’ve moved on. The current Data Protection Act dates from the 1990s when only the largest companies had the means to collect and store significant amounts of data. Times have changed and the digital revolution is upon us. Thousands of SMEs now routinely access and store data about their customers.
As many of our clients are SMEs, we figured it would be useful to outline some key points about the new regulation. You have better things to do than read the official document’s 200+ pages.
What will the new data protection law mean for your business?
You will need to use simple language when asking for consent to collect data. You must explain clearly to customers what you do with their information. You’ll also need to have the functionality in place to respond to requests to delete data. In the future, all software will need to be capable of erasing data, rather than suppressing it. Quite a challenge.
So what’s changed?
The world has changed. Huge amounts of digital information are collected, exchanged and used every second around the globe. The GDPR will include, for the first time, things such as genetic, mental, cultural, economic or social information that can be used to identify an individual.
It doesn’t matter where your business is based – after 25 May 2018, if you’re processing data about someone in the EU, you’ll need to follow the rules.
We’re all familiar with the small print on marketing materials. Things like the pre-ticked boxes that imply consent unless customers choose to opt out. Under the new rules, individuals have to actively give consent – and they can also withdraw this consent at any time. When this happens, their details must be permanently erased – not just deleted from mailing lists. It’s the right to be forgotten.
What happens in the event of proven non-compliance?
The penalty for breaching the regulation is eye-watering.
Serious violations will set you back up to £17 million or 4% of your annual global turnover, whichever is higher.
Here in the UK, the Information Commissioner’s Office (ICO) will enforce the GDPR. It’s worth following their updates here before 25 May 2018.
Their intention isn’t to make early examples of organisations for minor infringements or to threaten big fines. There are other sanctions that they’ll use in cases of non-compliance… reprimands, warnings, corrective orders. As a result, it’s your reputation rather than your bank account that’s more likely to suffer.
Final guidance was published in December 2017 which you can see here.
Let’s end on a positive. You’re very likely to already comply with the terms of the Data Protection Act, so you’re well on the way to being ready for GDPR. If your website stores information about your customers, it’s a good idea to get in touch for an audit so we can help you identify the changes – if any – you need to put in place.