In May 2018, data protection is changing in a huge way. The introduction of the General Data Protection Regulation (GDPR) forces companies of all sizes across Europe to take notice, and act on data protection or face heavy penalties. No company is exempt from the new regulations, ignorance is not a valid excuse and action must be taken to ensure compliance. Here are 5 things you need to know about GDPR:
1. Brexit does not apply to GDPR
Britain may be leaving the EU under Brexit, but the GDPR was agreed by all EU member states (including the UK) a long time before the Brexit ruling, meaning companies registered in Britain will be accountable under the GDPR and the regulations still apply, regardless of whether Britain is part of the EU.
2. All personal data is affected by GDPR
So. you’re thinking about forwarding this article onto your marketing team with instruction to perform a data compliance audit? That’s a great start but it is a small drop in the ocean when it comes to GDPR. The important thing to remember about data that falls under the new regulations is that it relates to all personal data – that includes the data of your customers, your staff, and any other stakeholders to your company. This can be everything from mailing lists to HR records, CCTV footage and ID passes. Anything that can be used to identify an individual person falls under the GDPR ruling and therefore must comply with the new regulations.
3. Data usage must be explicitly outlined and audited
4. Consent must be clearly given and not taken
Does your coffee shop give free Wi-Fi in exchange for signing up for the monthly newsletter? Do you have an automatically checked “stay in touch” button on your online order forms? Under GDPR, this and many other common marketing tactics are no longer compliant with data protection. The consent of the customer (or any other data subject) for companies to store and use their data for marketing (or any other) purposes now must be given explicitly by the subject and a clear auditing trail should be visible for every data subject and their relevant consent. Should your customer wish to be “forgotten”, it is now mandatory under GDPR that you ensure that all data records relating to that person are permanently deleted (not just from your mailing list).
5. Non-compliance comes with serious penalties…
Have you not yet thought about GDPR, or are you in the mindset “we’ll cross that bridge when we come to it”? Then STOP! From 25th May 2018 GDPR will be in full force and the Information Commissioner’s Office (ICO) will be granted power to enforce serious and damaging penalties to companies that are non-compliant with the new regulations. The penalties brought into force will be:
- 4% of annual global turnover or…
- A fine of €20m
Whichever penalty represents the greatest value will be enforced by the ICO to any company who breach the new regulations, meaning data security should now be taken more seriously than ever.