Introduction
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC in May 2018.
Should we be concerned as businesses?
I personally do not think that we need to be concerned but we should be prepared. So here are my thoughts on the pending change and how we may be able to prepare ourselves.
Arguably the biggest change will be the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location. Also the penalties are large and companies can be fined up to 4% of annual global turnover or 20 Million Euro (whichever is greater). I am not being a scaremonger, these are the facts. It is also worth noting that even post Brexit the UK will still follow the GDPR very closely. The fines are certainly attracting the attention of board level executives!
The GDPR and Business
Fundamentally the biggest change for our business within the GDPR will be the ongoing maintenance and growth of our mailing lists. As a business we have always made the decision not to add show & exhibition lists to our CRM system and have grown our list organically from networking and personal requests. But with the new GDPR regulation we are going to have to look at how we are ‘organically’ growing our lists, making sure that we are following the guidelines on ‘consent’. Where personal data is processed for direct marketing the individual will have a right to object. This right will have to be explicitly brought to their attention
From a business and marketing point of view we will need to ensure that we are acquiring consent correctly. As there will need to be some form of clear and affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process data.
So going forward we will not need to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, and prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
As a business we are looking internally to make sure that we will no longer use long illegible terms and conditions full of legal terminology, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to the content. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
So some questions being asked:
- What are the new obligations under the GDPR which will apply to us?
- Do we have any gaps in our existing state of compliance as against the new GDPR?
- What do we need to do to conform to the GDPR?
- Is there a timetable with an order of priority?
- Is there any cost to implement the GDPR?
As I write this blog our business has 10 months to prepare for any implementation that is required. We are taking these steps now to ensure that come May 2018 we are adhering to the new GDPR.
References
Obviously the GDPR is a much broader legislation than just maintaining your mailing lists and there is a lot of data to divulge and implement. I have read to 2 main sources of information for the GDPR and I would suggest that these are referred to when implementing:
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
These PDF’s may be of use:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
And the following link is useful to:
https://ico.org.uk/for-organisations/data-protection-reform/useful-links/