According to TrustArc’s 2017 survey of Privacy Professionals, 61% of business have not begun GDPR implementation. However, the implications of not implementing a GDPR strategy is much more daunting than avoiding the new laws. May 25th, 2018 is a day all businesses need to take seriously.
The General Data Protection Regulation (GDPR) is a new data protection law. Brought in by the European Union, the GDPR deals with how personal data is collected, processed, managed and shared. And nope, Brexit does not mean the UK is immune from these laws! If your businesses ignores this law, you can face fines of up to €20,000,000 or 4% of annual global turnover. Whichever is highest! It doesn’t matter if you’re a sole trader or a major corporation, the new data protection laws will affect you.
The current data protection laws date as far back as to 1995. This was prior to smart phones, social media and superfast, instant internet access. Clearly outdated, the aim for the new law is to give individuals more control and peace of mind of how their data is used.
How your Business can be Affected
If your business has ways of collecting personal data, whether through an online form submission or undetected website tracking cookies from your CRM, this will be affected by the GDPR laws. Gone are the days, of pre-ticked check boxes to allow consent on websites. You must now have a range of un-ticked check boxes detailing consent for various options. It is no longer a one-size-fits-all policy.
The right to unsubscribe or to withdraw consent must be communicated to the individual. They must be allowed to opt out as easily as they opted in. Businesses must keep a record of when an individual opted in, as well as how they did it, ‘periodically’ confirming that they still give consent for you to hold their data. Individuals also have the right to know what data is being held about them, where it is being held, for what purpose and who gets to see this data. If requested, businesses have up to a month to respond to any queries an individual may have about their data, but only at ‘reasonable intervals’.
If your company is responsible for a data breach, you are obliged to make the Information Commissioners Office aware of this. This must be done within 72 hours of your business finding out. The Information Commissioners Office will expect you to pass on information about the breach. This includes how many people are affected by it and what you are planning to do. As a result, you are then required to contact each individual whose data has been affected within this 72 hour period. If you do not comply, you will be faced with either a €10,000,000 fine or a penalty of up to 2% of your businesses annual worldwide revenue. Again, whichever is highest.
The ‘Right to be Forgotten’
One of the rules of the GDPR includes the ‘right to be forgotten’. If an individual wants their data to be deleted they can state that they have decided to withdraw consent for the business to hold their data any further. The business holding this data would then be obliged to not only delete their copy of this individuals data, but any copies other organisations may have due to your business.
How you can Prepare for the GDPR
As discussed above, the GDPR laws involve some hefty fines should your business not follow the rules. To reiterate, an unreported data breach could cost you up to €10,000,000 or 2% of your businesses annual worldwide revenue. As well as the opportunity for the individuals whose data has been compromised to take you to court. And, by not following any of the GDPR laws you also face the idea of a penalty of up to €20,000,000 or 4% of your businesses annual worldwide revenue, whichever is highest.
So, you can understand how serious the consequences are if you do not comply with the new law.
Just because the law doesn’t come in until May 2018, doesn’t mean you can forget about it until then. Any preparation and planning you can do before will massively help push your business in the right direction. If your business can afford it, hire or contract an employee that specialises in data protection laws. If you can’t afford more resource, send one of your employees on some data protection courses, particularly some that specialise in GDPR. Sage are holding daily webinars which have been developed specifically to support customers in learning more about the GDPR and understanding what it means in practice.
The sooner you start to implement new procedures to comply with the GDPR law, the better! Give yourself enough time to educate and train up your employees. Get prepared for the 25th May.
There is some amazing help and resources out there about the GDPR. Have a look through some of the webinars, guides and e-books to help you prepare for the GDPR.
IT Governance ran some helpful webinars in 2017, fortunately if you missed them they are available to watch in their archives. They have a massive series of GDPR webinars ranging from risk assessments, legal obligations, data mapping and data protection.
Marketo are one of the leaders in the marketing industry. They have a really insightful guide called ‘The GDPR and the Marketer’ you don’t need to use any of Marketo’s products to find the guide useful, I found it helpful to read a guide from the perspective of marketing.
Computer Weekly is one of the leading IT news sources. They have a great guide on the challenges and opportunities of the GDPR and how it will affect your business.