17 Oct 2017
The new legislation that is governing how organisations collect, manage and use their data is very much in the news at the moment. You may have received emails on the topic of General Data Protection Regulations (GDPR) or had conversation with your legal team as to how you will be affected by this.
WHAT IS GDPR
Essentially the new regulations are aimed at making data protection stronger for citizens of the EU and the wider global marketplace. In layman’s terms it sets out to businesses that if you want to offer products or services to people in the EU make sure you treat their details with respect, or you are going to be in for a very heavy fine.
The main document for GDPR is a lengthy affair, but we would always recommend that you have as much information as possible so feel free to have a read.
DOES IT AFFECT ME?
Any organisation that collects data from citizens within the EU will be forced to comply to some extent with GDPR – also don’t think you are off the hook if your website / app doesn't do this. If you collect data in internal databases, CRM’s or just via email you need to comply.
Fundamentally GDPR is aimed at making companies act with more integrity when it comes to the data of individuals. Although this is aimed at companies that store data from EU citizens (and yes Britain will form part of that – for now) the benefits will be felt across the globe.
LIKE HIGHLANDER, THERE CAN BE ONLY ONE
The guiding principal behind GDRP is one single set of regulations to govern all EU member states. Each member state will designate a Supervisory Authority (SA) to ensure compliance of the new legislation. With the nature of data and the digital age these SAs will work closely with each other.
A LACK OF TRANSPARENCY RESULTS IN MISTRUST – THE DALAI LAMA
A huge part of GDPR is companies becoming a lot more transparent with how they use an individual’s personal data and how long they intend to use that data for. The legislation requires organisations to state what data is being processed and for what reasons. Individuals must have clear understanding about who to contact at an organisation with regard to data processing actions.
WE ARE LIVING IN AN AGE OF CONSENT
An audit trail must be available to demonstrate that an organisation has been given consent by an individual before their data can be processed. Also that data can ONLY be used for purposes it has been gathered for. In plain terms if you receive a website email enquiry this does not mean that person can go straight onto a mailing list. Don’t get too comfortable holding on to this data either as consent can be withdrawn at any given moment.
SCRABBLE WORD OF THE DAY - PSUEDONIMISATION
The new legislation makes reference to psuedonimisation. In simple words this is a way to stop an individual’s details that are being stored being attributed to that individual without the use of additional information. This is down to some clever use of tables in databases that allow peoples details to be blown apart and only make sense for example when a specific ID key is used.
WHAT TO DO IN THE CASE OF A BREACH
Should you have a security breach under the new legislations you are required to have a process in place to deal with this. Depending on the seriousness of the breach you have a legal obligation to report it within 72 hours. There is more to read on what to do in the event of a breach on the Information Commissioner’s Office website
WITH GREAT POWER COMES GREAT RESPONSIBILITY
The guidelines around the regulation suggest that if you process data on a ‘significant scale’( nothing like a vague term for interpretation ) then you need to appoint a Data Protection Officer (DPO) who is responsible for ensuring that the business is being GDPR compliant. Even if you are not processing data on a significant scale it is probably a good idea to make someone in the business responsible for this area.
ERASURE – NOT JUST AN 80’s THROW BACK
With GDPR everyone has the right to the erasure of their data. This means that if you are asked to remove it – everything has to be removed from everywhere including backups and any reference to the information all need to be gone.
COMPLIANCE BY DESIGN
Another large part of the GDPR thinking is to have developers include privacy by design and not just as some kind of after thought. If you are planning a new website or any other kind of digital system then privacy needs to be at the core of this and not just an after thought. By default all privacy settings need to be at their highest level with a user then allowing them to be downgraded should they wish it.
TIME IS TICKING
GDPR comes into effect on the 25th May 2018 and replaces the data protection directive from 1995.
WE ARE NOT GOING TO BE IN THE EU
Surely in the UK we don’t need to worry about this thanks to Brexit? Well not really! The first point is that the law comes into place before the start of the withdrawal process. We are also going to adopt the legislation immediately after Brexit so it is here to stay.
The fines are heavy with non-compliance of GDPR. You can be looking at 4% of turnover or €20 million, whichever is higher. Not something to be taken lightly.
IT’S ALL ELSEWHERE
If you are using systems like Mailchimp, Campaign Monitor or any other 3rd party system then it’s someone else’s problem. Wrong! You need to make sure that whatever platform you are using to process data is GDPR compliant. The likelihood is that the main platforms are working on this and will be compliant in advance of the new legislation. However do not take the risk, and ask the question.
HOW CAN YOU BE GDPR COMPLIANT
If you are thinking of having a new website built then the iCentric platform will not only give you an extremely powerful platform for all your digital marketing but it will also give you a GDPR compliant solution well in advance of the deadline.
To find out where you currently stand on GDPR compliance for your digital platforms call Graham Davidson on 01234 292200 to talk through the options you have to get yourselves ready.