We’ve done it, so you don’t have to.
Less than a year until the General Data Protection Regulations come into force: here’s what you need to know.
The General Data Protection Regulation (GDPR) is a binding EU legal framework for the protection of personal data, which will come into force in May 2018. It builds on the 1998 Data Protection Act, which was written before the internet took off: before email marketing, before Google, before the mass digitisation of personal data. If you work in – or with – people that live in the EU (yes, that’s us – even after Brexit), you must comply with the GDPR.
Whilst the GDPR is aimed at larger businesses (employing over 250 people), SMEs are also expected to comply.
To date, people give up their personal information (sometimes reluctantly) in order to engage with a business, hoping that the business in question won’t then bombard them with unwanted marketing material or sell their details on. It’s a transactional relationship where the business holds most of the power: this is about to change. Most of us want the benefits of the digital services that our world is becoming increasingly reliant on (Amazon Prime anyone?), but they want privacy rights and strong protections too.
A business will no longer own its clients’ data: we will become custodians of people’s information, looking after it as we would a favourite book borrowed from a good friend, returning it (erasing it from our systems) when the time comes.
The most important things you need to know about the GDPR are about consent, data protection, and the penalties for getting it wrong.
You must request – in plain English – a person’s explicit consent for you to use their data, with a separate consent needed for each activity you plan to use it for. You will also need to keep a record of how, when and from whom that consent was secured (bundling it into your T&Cs won’t suffice). Should someone change their mind, withdrawing consent must be just as straight-forward as opting-in was.
Sadly, you can’t just carry on using your existing database: you will need to prove that the data you hold was captured transparently and that you have every person’s permission to use it.
That book you borrowed? If it gets lost, stolen or you pass it on to someone else, you will find yourself in serious hot water. As a professional entity that uses personal data in your everyday business functions, you and everyone who comes into contact with that information is responsible for its protection.
It’s about minimising risk: human error is at the heart of most data breaches. Reducing the amount of data you hold, as well as the number of people who interact with it, reduces the chance of a privacy breach. One small slip and it’s too late: a report left on a train, a lost archive box, a USB forgotten in a coffee shop, an email forwarded in error.
A person can ask for sight of all the data you hold about them, and you are obliged to comply promptly. People also have the “right to be forgotten” – and a request for this means you need to erase that person from your system. Get it wrong – or suffer a data breach – and you could be fined up to €20m or 4% of your company’s global annual turnover (whichever is greater) for a single violation. Your business and your reputation may be damaged beyond repair.
There is some lenience in the penalties for SMEs, but only because they provide a smaller risk than larger businesses. We are still expected to comply and failure to do so will leave us open to prosecution. Importantly, clients, employees and suppliers will expect SMEs to be just as respectful of their data an enormous multi-national firm would be.
A lot of this is common sense and good practice – respecting your clients’ data, privacy and preferences is part of a healthy working relationship – but the penalties for getting it wrong are suddenly far higher.
Clearly, there’s more to it than this short post, but we simply couldn’t squeeze it all in. So we produced a paper, which you can download here. A few people have asked us for a seminar on this topic and we are looking into it; if you’re interested, please do let us know.