From mild confusion through to outright panic, the looming implementation of the General Data Protection Regulation (GDPR) has left organisations across Europe sweaty palmed and hyperventilating. Scheduled to hit on the 25th of May 2018, the scramble to prepare for the legislation is fraught by the huge financial penalties that could be levied against those who fail to get it right. To be clear, GDPR is a data law not a marketing law, but we all rely on customer data and we will be in the spotlight when it comes to GDPR compliance.
Data protection is not a new concept. Since the age of the internet and mobile devices, however, data and privacy regulations have become increasingly important to businesses, regulators and consumers. While the specifics of GDPR are new, it is in fact merely a replacement for the Data Protection Directive, which is over 20 years old.
The new regulation now shifts the focus on to the consumer, protecting the privacy of every EU resident and citizen no matter where the data is collected, stored, or processed. The EU has also upped the ante with the introduction of hefty fines for non-compliance of up to €20 million or 4 per cent of annual global turnover – whichever is higher. For businesses, this is potentially crippling.
Most worryingly, marketers are simply not prepared and as we learn more about GDPR, our confusion only deepens: the number of businesses that felt they were on track ahead of the change dropped from 68 per cent to 55 per cent following recent guidance provided by the Information Commissioner’s Office (ICO).
Attempting to untangle the full complexities of GDPR is a herculean task, but these tips should be enough to help you kick-start your GDPR journey:
Even for lawyers, legal regulations can be difficult to decipher – and interpreting the specifics of GDPR is no different. A complex and multi-faceted regulation, understanding its intricacies is particularly vital and your organisations will rely on you to ensure the right documentation and processes are in place to help to demonstrate compliance. Getting senior management onside will be key in this process, especially in those organisations where radical changes are required. After all, when the ICO comes knocking on your door, ignorance will not be an excuse.
Organisations hold enormous amounts of data in all sorts of unusual places – from traditional CRM systems to basement boxes with old printed spreadsheets. This should all be ferreted out and clearly documented with when, how, and why it was obtained; what you are going to do with it and how long you are going to keep it.
Transparency is paramount: being open and honest with the people who give you their data about what you are collecting, why you want it, how you will be using it and how you will take care of it is a core principle of GDPR.
GDPR is big win for citizen rights, with more comprehensive outlines on how their data should be handled. Key changes include the ‘right of access’, which have expanded considerably and are required to be free of charge. Additionally, the ‘right to be forgotten’ has also been extended, with individuals now able to be ‘forgotten’ when they no longer want to have a relationship with that brand. You should think about what processes are needed to accomplish this.
The rules around consent are clear: it must be freely given by the individuals; the information must be unambiguous, specific and with no jargon, and consent must be given affirmatively. You must also inform the individual of who you are, how you are using their information and that withdrawal of their consent is possible at any time.
Despite the UK’s impending ‘Brexit’ from the EU, your organisation will still need to abide by GDPR because it will effectively become UK law and will remain so if we plan to have a trading relationship with the EU. Happily, the use of GDPR will ensure that data privacy regulation will be the same across the EU – a huge advantage over the current regime.
It is important to note that these are only a few considerations – and by no means a fully comprehensive interpretation of the new law nor everything you should think about to prepare. If you have more questions, the ICO are the experts and the best placed to help with any specific queries and the DMA is a great resource for information on how to get ready.
For many organisations, the legislation may not have a significant impact, with many already having the processes in place to ensure compliance. For others however, the next few months will be a daunting challenge. If you take away one thing from this article, make it this: document everything. This will be crucial in proving you are compliant should the ICO come to pay a visit.