On May 25th, a new set of data protection rules, the General Data Protection Regulation (GDPR) will come into force.
With it, comes the biggest shakeup of UK data protection law in decades.
In this short guide, we'll look at what impact GDPR could have on your organisation, and some things you can do to make sure you comply with the new rules.
However, please remember that all businesses are different and that we can only cover general advice in this guide. So make sure you seek out expert advice that's tailored to your individual needs.
So with that in mind, here's some more information on GDPR and some tips to help you achieve compliance.
Will I be affected by GDPR?
GDPR is likely to affect almost every business that collects personal data of some kind. This could be something as simple as names and address, or more sensitive information such as medical records.
In practice, this means that almost all online businesses will be affected in some way.
What about existing data protection legislation?
GDPR will be enforced in the UK by the introduction of a new data protection act. This will replace the 1998 Data Protection Act.
Although there will be significant similarities between the two acts, the new GDPR act will introduce some significant changes with which you will need to comply.
What about Brexit?
GDPR is coming into force before Brexit is set to happen. In addition to this, the introduction of new data protection laws mean that UK businesses will still need to comply with GDPR rules even after Brexit occurs.
What are the big GDPR changes that I need to be aware of?
Here are some of the key differences between the new GDPR rules and existing UK data protection legislation.
Larger fines for data protection breaches
This has been one of the bigger headlines surrounding GDPR, and it's true - the maximum fine for failing to comply with data protection rules will increase to €20 million, or 4% of the business's turnover, whichever is higher.
Now, that's a lot of money - but of course fines of this magnitude will be reserved for the most serious of breaches, and even then they will likely only be applied to repeat offenders.
So don't worry that a small lapse will lead to a disproportionately large fine. But make sure you do everything you can to comply with the new rules so you don't get a nasty surprise.
It will be easier for people to access their data
Under the new rules, if someone asks for the data you hold on them, you'll have to supply it for free and within one month.
This means you'll need to know what data you hold, and who you hold it on, so you can comply with these requests quickly and easily.
You'll need to be more transparent about what you do with personal data
If you're a large company (one with more than 250 employees, you'll need to produce a document that informs people why you collect their data, what data you collect, how long you'll keep that data for and the security measures used to protect that data from misuse. These businesses will also need to appoint a data protection officer.
All businesses will also need to obtain content in order to use a person's data for certain purposes, including marketing.
Under GDPR, this consent will have to be informed (ie people understand what they are agreeing to), granular (ie people must be able to opt in to each use of their data individually) and positive (ie no pre-ticked boxes.)
Don't forget - this kind of consent will be required for all forms of marketing including, for example, email marketing and retargeting via cookies. You'll also be required to keep proof that consent has been granted.
The Information Commissioner's Office has produced this useful guide to consent and GDPR.
How can I begin to prepare for GDPR?
Although every business is different, there are some general tips we can offer to help you to start preparing for the new rules.
Understand what data you already hold, how you use it and how GDPR will impact on your use of this data. Don't forget - just because the way you are using someone's data is lawful now, it doesn't mean that it will remain so under GDPR. You may find there's a particular need to seek consent from people you had been sending marketing messages to if you wish to continue to do so.
Once you've carried out this data audit, you can then create a data and privacy policy, which you can use to tell people how you'll be using their data and what you'll do to protect it. Not only will this help you comply with GDPR, it will also build trust with existing and potential customers.
Speaking of protecting data, make sure any personal data you keep is encrypted and stored on a password protected device. You don't want an unfortunate incident such as leaving your laptop on a train to turn into a data breach because anyone who finds it can access a list of your customer's names and addresses.
Finally, make sure your marketing is in order. Although you'll be able to market to people who become your customer without consent (this guide goes into more detail on marketing without consent under GDPR) if you want to continue to market to potential customers, then you need to ensure the way you capture their data for marketing purposes is GDPR compliant.
How can I ensure full compliance?
Now, while all the above tips are a useful starting point, on their own they're probably not enough to ensure full compliance for your business.
With that in mind, we recommend that as well as implementing the above tips, you also seek out independent advice on other steps you may need to do.
Larger businesses may wish to seek the expert opinion of a lawyer specialising in data protection law.
The ICO has also produced a 12 step guide to preparing for GDPR, and it also offers a free telephone helpline for small organisations on the issue.
