GDPR – Businesses are being urged to urgently get their customer data in the best possible shape.
On May 25th 2018, the EU’s General Data Protection Regulation (GDPR) comes into force.
Even though the legislation has been created by the EU which due to the European Communities Act 1972 supersedes the UK’s Data Protection Act 1998, the UK Government has said Brexit will not affect its introduction.
The GDPR represents the biggest change in data protection law for two decades.
One of the major requirements facing businesses under the GDPR will be to tighten the rules around consent for data usage. Consumers will have far more control over their data and what companies can do with it.
Businesses will be obliged to give website visitors the ability to not just opt-out of all online tracking and marketing but the choice wether to opt in.
Joel Cortez, Director of Intellistart Limited, said: “The GDPR will mean very significant changes to the way businesses collect and use their customer data. Though there is very little awareness of the impending GDPR which is set to be enforced on the 25th of May 2018 there are many businesses which are still in the dark about GDPR’s impact. However there is still enough time for businesses to ensure their customer data is thoroughly prepared to drive increased revenues and profitability. Through Intellistart, your business will not only be GDPR compliant, but will have the means to grow their customer data and grow their business as well.”
WHO DOES IT APPLY TO?
The GDPR applies to ‘controllers’ and ‘processors’ and the definitions are broadly the same as under the Data Protection Act. As a processor, you will be legally obliged to maintain records of processing activities and personal data. For controllers, you must ensure that your contracts with processors comply with the new regulations. As well as affecting organisations within the EU, organisations outside of the EU that trade within it or export data out of it are also required to comply.
WHICH INFORMATION DOES THE GDPR RELATE TO?
The GDPR applies to personal data, but unlike the DPA, the definition is more clear. For example, under the new regulations, an IP address can be considered personal data, to reflect the changes in technology and how data is collected. Generally speaking, if the information was covered by the DPA, it will also be included in the GDPR. Both automated personal data and manual filing systems are affected, including data that is encrypted, depending on how easy it would be for it to be attributed to a person.
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
As with the DPA, the GDPR also includes sensitive personal data, but some minor changes have been put into place for specific categories. These include genetic data and biometric data which have been processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
WHAT DOES IT MEAN FOR THE CONSUMER?
Organisations will start to become more transparent with their customers, with upfront and clear privacy notices. Consent needs to be obtained with clarity, and hidden tick boxes and silence will no longer suffice as permission from a consumer.
Data controllers must now put a focus on consumer rights when putting new processes in place, and an appointed Data Protection Officer will need to champion consumer rights within the business. The GDPR also facilitates consumers wishing to switch suppliers by requiring data controllers to provide “data portability” when accounts are closed. Objecting to marketing will be simplified for consumers, as organisations have to be public and obvious about their intentions upon the first contact.
Consumers will be informed of data breaches more quickly, as data controllers are required by law to notify the supervising authority without undue delay (within 72 hours). Tougher penalties have been put in place for data abusers, so those responsible for nuisance calls and bombarding consumers with unnecessary contact will now face stricter fines. Generally speaking, more power is placed in the hands of citizens when it comes to decisions with their data.
STEPS TO TAKE NOW
Do the key people involved in your business understand the importance of the changes? They’re likely to have a profound impact, and cannot be ignored.
It’s time to get organised. Document the data you currently hold, its origins and who the information is shared with. An audit may be necessary to ensure nothing is missed.
You should check over your current privacy notices and put a plan in place to make any necessary changes.
FOCUS ON THE INDIVIDUAL
The individual’s rights are at the centre of the changes, so your procedures need to reflect that. Be prepared to delete personal data and provide data electronically.
Your procedures need to reflect the new timescales, and how your business will handle requests once the changes take place.
Look at the types of data processing that goes on within your business, and make certain your legal reasoning for carrying it out is solid.
Focusing on the consumer. You should revisit the ways you gain access to, record and obtain consent.
Gaining parental consent is key when the GDPR comes into play, so you’ll need to outline the ways in which you identify a person’s age.
Given the speed of which data breaches now have to be reported, getting a system and process in place will allow you to act accordingly if that situation should occur.
DATA PROTECTION OFFICERS
Someone within the company needs to take responsibility for compliance with the new rules, and they should be factored into employment strategies and your organisational structure.
Intellistart is helping businesses across all sectors:
- Grow their database with new customers
- Increase opted in members to their database
- Gain a 360 degree view of their customers
- Improve their website conversion rates
- Build their brand awareness
- Gain the edge on their competitors.
For more information about the GDPR, visit the Information Commissioner’s Office website at www.ico.org.uk