In recent months you are likely to have heard about GDPR, and may be wondering what it means for your business.
GDPR is a complex subject that is confusing many business owners within the EU, and quite rightly many are concerned about what it means for their marketing and data collection going forward.
What is GDPR?
For those who aren’t aware, GDPR is an incredibly important new legal requirement that companies of all sizes need to be aware of.
The General Data Protection Regulation (GDPR) will be in place by May 2018 and will apply to any data that companies hold or process within the EU.
Not only does it apply to companies within the EU (the UK included) it also applies to businesses outside the EU who hold any data on European customers. In short this will affect almost everyone.
Once put in place, GDPR will be the single strictest data privacy law in the whole world.
GDPR is your responsibility
One relevant example of a common situation where GDPR would apply would be if you hold customer email address for marketing purposes. Let’s assume you send emails to this list via a provider such as MailChimp.
In this example you are referred to as the Data Controller, and MailChimp is the Data Processor.
Where GDPR is concerned, the Data Controller is held liable for respecting and upholding the data protection rules. The Data Processor is not. Therefore, the responsibility of handling your client data is yours alone.
What your responsibilities are, specifically
In order to be compliant, you need to offer your clients a number of safeguards; including but not limited to; Breach Notification, Right to Access, Right to Migration, and the Right to be Forgotten.
If your company is larger than 50 employees, or is likely to become this size in the near future, we’d strongly advise you to employ the services of a specialist solicitor to draft the proper documentation. We would also suggest hiring a full time data protection officer to ensure you remain compliant going forward.
Additionally, by law, public authorities and organisations with over 250 employees are required to appoint aforementioned professionally qualified officers.
For small to medium sized businesses, like the majority of our clients, you must be able to answer the following questions (if/when) the EU comes knocking…
- What personal data do you have?
- Where is it sent?
- Where is it stored?
- How is it processed?
- What do you tell people about how it’s processed?
- How do you collect it?
From the answers to these questions, you should produce a document that your staff can refer to in the instance that anyone enquires into whether you’re compliant.
Don’t forget to check into any third party providers you use, to ensure they’re compliant.
Regarding Customer Data
Whilst the subject is very deep, in summary you must make sure your website and any other means of collecting customer data follows these rules:
- All contacts must provide explicit consent to be contacted. You must be able to prove that you have obtain this consent.
- It used to be that implied consent was enough, particularly with B2B communications. This is no longer the case. Users now need to opt-in by ticking a box, and you need to make it clear how their data will be used.
- Anyone you hold data about will have the legal right to be forgotten; that is have their information removed from your systems at any time.
If there is one takeaway from all this, it should be that the responsibility of your client data is that of your organisation. The penalties for failing to comply with GDPR are significant, so like it or not you need to be prepared.
The full details about GDPR can be found on the ICO website. You’re in for a long read, but well worth your time.
For a few real-world examples, we found this Econsultancy article to be particularly informative.
Note: The details provided here are offered for purely informational purposes, and should not be taken as a substitute for proper legal advice.