It feels like we’ve been talking about it forever, but all of a sudden, GDPR is just around the corner. And with 25th May now less than a month away, if you haven’t already, you need to get your data in order - sharpish.
Need a re-cap of what GDPR means for your business? Then read on...
What is the GDPR?
The General Data Protection Regulation (GDPR) is the biggest change to data protection rules for over 20 years, replacing previous legislation that had been in place since the 1990s. The new regs are designed to give consumers much greater control over their data, while putting the onus on businesses to keep this information safe and respect the data privacy of their customers.
What will change?
The UK’s Information Commissioner, Elizabeth Denham, has said that the GDPR is an “evolution, not a revolution”, so if you’re already compliant with the UK’s Data Protection Regulations, you should already be in good shape.
Having said that, there are some notable changes, particularly the shift from the allowance of "opt out" consent to the requirement for consent to be explicitly "opt in." For most businesses that means your customers must read and proactively tick the box that says they want to be on your database. Otherwise they need to come off.
Customers will also have greater powers to access their data and you need to start documenting what you’re doing to protect it, for example with data protection policies, impact assessments and other processes.
And bear in mind that fines for noncompliance will be going up, to a maximum of €20m or 4% of annual turnover. However, the ICO has said it will act lightly towards businesses who can show a clear and organised approach to how they secure their data and how they respond to potential issues, particularly in the first 72 hours.
The UK is already one of the countries with the greatest enforcement of data protection rules and this is likely to continue once the GDPR has been introduced.
Who does it apply to?
All individuals and businesses that process or store personal or sensitive data must abide by the rules – that includes startups, small businesses, freelancers and the self-employed.
By personal data, the regulations mean any information that can be used to identify a person, such as their name, email address, IP address, and so on. Sensitive information could be details such as genetic data, sexual orientation, religion or political views.
5 top tips to prepare:
With just weeks to go, here’s our top tips to ensure you’re ready to comply on the 25th May:
- Your opt-in statement must clearly indicate that if the customer agrees, you will be sending them ongoing marketing communications.
- It must also tell them who will have access to their personal data, including third parties, including their contact details.
- Your ‘opt-out’ message must make clear that doing so will have no negative repercussions for the customer.
- Your opt-in statement must require an active response from the individual to confirm that they are happy to be marketed to.
- To make sure your statement is watertight we recommend that you get it signed off by your legal team.
Looking for more detail? Then take a look at our guide on everything you need to know about the GDPR.
And don't forget, if you do find yourself in hot water, cyber liability insurance can protect you for a breach of data protection laws (where insurable by law) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime.