To avid Brexit watchers, one of the most fascinating areas of negotiation will be around which EU laws the UK will retain, modify or drop. While the popular press may focus on our greengrocers right to sell overly bendy bananas again, one area that will almost certainly be retained will the General Data Protection Regulations.
If you haven’t heard or been made aware of the GDPR you will do in the coming year or so before the 25th May 2018 when the regulations come into effect. The GDPR sets out very clearly the way in which businesses will need to conduct themselves with relation to all aspects of data (who can forget the fun of the cookie law and the chaos of what you have to/should do with regards use of cookies on websites).
Whether the UK is in or out of the EU on the 25th May, the government will almost certainly retain the vast majority of the GDPR, meaning businesses really need to spend the next year or so preparing, and not merely thinking about, data in their organisation.
So what does this mean in practical terms?
Well firstly, as a business you need to know and understand what data you hold and use in your organisation. For some businesses this may be a fairly straight forward question, while for others using multiple systems, partners and people accessing data it becomes far more complex.
Secondly have you considered how you use data? If you send marketing comms such as emails to your data are you sure individuals have opted in to receive these communications? Does your salesforce cold call previous customers or contacts and if so can you show you have permission to do so?
You need to consider security of data. While a data breach on the scale of TalkTalk is still something of a rarity, a government survey in 2016 found that 74% of SMEs suffered a security breach last year. Aside from the operational chaos caused by a breach (in which case you need to consider a Disaster Recovery plan), the GDPR will set out guidelines as to how data needs to be physically secure within an organisation.
While a lot of retrospective action will be needed by many business to be ready for GDPR, there is a lot that business can do to comply with one of the central planks of the regulations, which is termed Privacy by Design.
This essentially means ensuring that all customer touchpoints and systems are built from the ground up with data protection in mind. At a practical level, this means making sure you ask users to opt in when completing a form and collecting data through to ensuring that you know exactly how data is being used in your organisation.
Finally for now, as this blog could be 4 times as long if we covered all areas of the GDPR, part of the reason we expect the government to retain the regulations will be the punitive powers will the penalties ranging from 2% of turnover for not having records in order, through to 4% for not having consent to process customer data.
This is really where business will start to get nervous. Already we are seeing the Information Commissioners Office starting to bear its teeth with a £400,000 fine for Keurboom in relation to breaching existing privacy laws for customer contact without consent and there is a full list of recent fines on the ICO website.
So what to do about it?
I’ve set out some of the areas that the GDPR will cover and questions that business will need to be able to answer. At Fantastic Media we are pulling together a GDPR audit that will be the first step to ensuring you can prepare to be GDPR compliant. If you would like to speak to us to find out more about this audit, or know more about how it might affect your business, call us on 03450 176 090 or email info@fantasticmedia.co.uk.