These four letters stand for a new EU data protection law, namely, the General Data Protection Regulation.
Over the next few weeks we will be giving you more information and suggestions to help you ensure you are ready and, most importantly, compliant. Don't forget to subscribe to our blogs so you do not miss out on this important information!
The new General Data Protection Regulation (GDPR) will determine how your organization does business, and particularly how it manages, protects and administers data in the future.
The date you need to make a note of in your diary is 25 May 2018, because that’s the date the new regulation comes into force and if your organisation is found to be non-compliant you risk encountering huge fines!
Organisations must keep a record of why, when and how they were granted permission. There must also be details of what they were told at the time. If oral permission was granted, script of what was said will work fine, call recordings are not essential.
The greatest change within GDPR is the way consent is granted. Consent must be knowingly and willingly given by the individual, with organisations making their intentions for data use made clear. Soft opt-ins, implied consent, and hiding data policies within confusing T’s and C’s are all against GDPR rules.
What does this mean to you?
It means your customers are going to have the right to access, update and remove any data that you hold on them. If this data is leaked, you will need to notify them as soon as possible.
When it comes to being GDPR compliant, good customer communication strategies aren’t just a nice to have – they are essential.
Currently, here in the UK, we are legally bound by the Data Protection Act to protect the data we hold and we assume that if you are in business, you are registered with the Information Commissioner’s Office (ICO) who are responsible for ensuring compliance with the DPA. The ICO will also be relating compliance of the GDPR.
And before you ask… “Why would this matter when the UK is in the process of leaving the EU?” However, and very important to note: GDPR will come into force before Britain leaves the EU. And it is very probable that the GDPR will stay in law for some time – if not forever.
Why do I need it?
Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased. Simply put, the old regime is no longer fit for purpose. Things must change.
In the last 12 months, there's been a score of massive data breaches, including millions of Yahoo, LinkedIn and MySpace account details. Under GDPR, the ICO has to be told about a breach 72 hour after an organisation finds out about it and the people it impacts also need to be told.
Elizabeth Denham, the UK's information commissioner, who oversees data protection enforcement, says she is frustrated by the amount of "scaremongering" around the potential impact for businesses. "The GDPR is a step change for data protection," she says. "It's still an evolution, not a revolution". She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a "step change".
You need to have processes in place but don’t get scared by the ‘hype’. GDPR means you’ll need to interact with your customers in ways you’ve never had to before admittedly, however there are plenty of ways to connect with your customers, but you need to choose a method that works for both you and them. Otherwise you’ll have more problems to solve down the line.
You must be compliant of this regulation by 25th May 2018, otherwise you could face penalties of up to €20 million or 4% of your companies worldwide annual turnover (whichever of the figures are greater).