GDPR (General Data Protection Regulation) represents a big change for companies in the UK. Around how they handle data and the implications if they don’t do it correctly. Changes to the current Data Protection regulations commencing in May 2018 means your business needs to be ready.
The current EU Data Protection Directive of 1995 and the UK Data Protection Act of 1998 that governs our personal data have become severely outdated, with the masses of data we consume, and is collected, on a daily basis. When these rules were put in place there was nothing like the volume of data being generated. These rules just can’t cope with the modern world we live in.
In December 1995, there were about 16 million internet users compared to nearly 4 billion users that we have today. This unprecedented increase of connected users and the associated data means that changes were long overdue. GDPR aims to address this when it applies to the UK on 25th May 2018.
What does GDPR really mean?
Broadly it puts the person/company in charge of their data and puts the onus on the user of the data, to ensure that they explicitly have the right to use and store the data. In practice, this means people should have more control of data that is related to them. If an organisation holds personal data they will now have quite a lot of work to do. Making sure that they understand the data they hold how it is processed and when it is destroyed.
GDPR will mean the ICO, who will implement GDPR in the UK, will become a more authoritative body and will have a greater say over digital and will enforce strict penalties should the new regulations not be adhered to.
This will affect both controllers and processors of data – which means those that say how and why data is used and the actual processors acting on the controller’s requests. If the Data Protection Act currently affects your business or job role, you will probably fall into one of these two positions.
Users should be able to clearly see how and why what data is collected
From May, users will have the right to access all data that is collected as well as erase all data that is collected. Subjects can even transfer their data to a competitor if they wish. One of the key changes for most businesses is explicit consent. It is no longer acceptable to just send people marketing emails. Unless you have (and recorded you have) got a positive confirmation that they are happy to receive them.
Gone are the days where you can have an already selected checkbox on eCommerce and signup form opting people in to receive communications. It should be pointed out that this won’t affect “transactional” emails that you are required to send as part of your service, for example an email confirming and order has been placed or an email with the delivery/tracking details.
What tangible steps do you need to take?
The first thing to do well in advance of May 2018 is to set up a workflow detailing all the steps required to become GDPR complaint. As a rough guide we would think about the following as a basis:
- Identify where all your electronic data resides, think about laptops, PCs, servers, cloud storage platforms, marketing systems like MailChimp, website and USB sticks. You will need to do the same for physical data but that is something that you will need to look at yourself.
- Update your terms and conditions so they’re in plain English – without legalese or jargon.
- For marketing purposes, change your data usage on your website with opt-ins to ensure that visitors give their consent before you collect their data.
- Audit all the data you currently store, understand whether you need it or whether it should be deleted.
- Once you know what data you have and how long you should keep it. Set up processes to make sure you are dealing with it properly and consistently.
- Set up a process for how to deal with the situation if someone should ask for their data.
- All partner or third parties you work with need to be GDPR compliant too. So make sure you assess these in the same way you have with your internal data. Remember, if you hold your data in the cloud this needs to be thought about as well.
What technology can help with this?
Microsoft are investing time and money to ensure Office 365 and all of their platforms are GDPR compliant.
Some simple examples of things you can do are:
- Consolidate your data into fewer systems, such as moving all documents and file sharing onto SharePoint Online (this reduces the surface area of systems you need to audit).
- A CRM system such as Dynamics 365 CRM helps to manage your customer relationships, where you can integrate with your website and email manager to ensure that data is collected via opt-in only.
- You can use Microsoft Planner to plan and manage the project to ensure compliance.
You can also implement new technologies to help structure your compliance plan. Also ensure all tasks are completed prior to May 2018.
What will happen if you don’t?
Failing to meet the GDPR regulations will result in strict penalties. It can be as much as 4% of your annual global turnover or €20million – whichever is the greatest. This will be for the biggest of breaches, but the penalties promise to be severe for those that ignore the new conducts.
To find out more about the GDPR or the business technology you should be implementing, get in touch with SpiderGroup. You can call us on 0117 933 0570. Alternatively, you can fill in our contact form and we will get back to you.