What Is The New EU GDPR And Does It Affect Your Business?
You’ve probably already seen all the commotion regarding the new EU GDPR, as it comes into force this month, but what is it and will it affect your business?
Basically, the new EU GDPR is a revamp of the Data Protection Act, so if that affects your business, chances are the GDPR will too.
It’s all to do with the information you collect regarding your customers, including what you collect, how you collect it, how you use it, and how you store it.
The General Data Protection Regulation (GDPR), which comes into force on 25th May 2018, is a brand new set of legal standards designed specifically to improve the control we, as individuals, have over our personal data in the EU. It will affect businesses of all sizes and the new standards mean they must ensure they are compliant with this new set of data protection rules.
Keep in mind that it doesn’t matter where your business is located or registered, you still fall under these rules if you collect data from anyone who lives in the EU.
And don’t think that Brexit is going to change anything. If you collect data from people who live anywhere in the EU, GDPR will still apply even after Brexit. If you only collect data from people who live in the UK, read on to find out how the changes may affect you.
What kind of businesses does this effect?
This covers every business that collects any kind of data regarding their customers.
Obviously, if you have any online presence including websites, auto-responders or social media profiles, you need to be taking a closer look at the new rules to ensure you’re staying onside.
If your business is already subject to the Data Protection Act 1998 (DPA), GDPR will apply to your business. It will cover every aspect of how you communicate with your customers and how you handle any stored information about them.
The GDPR defines businesses as both data processors and data controllers:
- A data processor acts on those instructions for the data controller
- A data controller is responsible for how and why a person’s data is stored or used
If you do business in the UK only, the future is unclear right now. However, the UK Government is likely to develop its own equivalent legal regulations.
GDPR made simple (ish) . . .
The main aim of the GDPR is to ensure people have the right to know exactly what information organisations store regarding them.
It will also give businesses and organisations the much-needed framework for storing data. To ensure there’s no misuse they must also adhere to new, stricter rules regarding processing and protection of the data.
The new regulations state that data must be:
- Lawful, fair and transparent
- Kept no longer than needed
- Collected for explicit, specified and legitimate purpose
- Adequate and necessary
- Processed securely
Keep in mind these new regulations get more complex if larger amounts of data are collected and if higher numbers of people are involved in its collection.
These basics will make it all a little easier to understand. You MUST:
- Know what data you have, and exactly why you have it: Data collected should be adequate, relevant and limited to what is necessary. Do you really need it?
- Manage the data you collect in a safe and structured way: Determine who in your organisation is responsible for it. If you’re a sole trader, it’s YOU.
- Encrypt sensitive or personal data: Think, what you wouldn’t want to be disclosed and remember other people will likely feel the same.
- Design and incorporate a security-aware culture into your business: The days for not knowing what is happening to your data are over.
- Report any data breaches fast or face consequences: A breach must now be reported to both your customers and authorities within 3 days if it’s likely to pose ‘a risk for the rights and freedoms of individuals’.
- Be aware that Personally Identifiable Information (PII data) has expanded: This now includes things like genetic information, photos, social media posts, and IP addresses. Keep in mind these are the identifiers that many networks and platforms capture routinely as part of their usual tracking.
- Adhere to the ‘explicit consent’ rule in your opt-ins: Companies will have to use clear opt-in tick boxes, rather than a potentially misleading opt-out box that’s commonly used now. ‘Pre-ticked’ boxes to collect customer data can no longer be used.
- Offer the right to be forgotten. New rules mean customers have the right to access any information held about them and businesses must securely delete data once a customer stops using their services and asks to be ‘forgotten’.
- Avoid using complicated, long-winded or misleading conditions for gaining consent to data. Any request for a customers consent from now on must be clear, concise and in an easily accessible format.
Serious repercussions ahead!
Heavy fines of up to 20 Million Euro (approx £17.6m), or 4% of your total worldwide annual turnover, await those caught ignoring the updated rules.
This also applies to lone workers, not just big businesses. If you work alone and collect emails on your site, or you’re involved in affiliate marketing or anything else which involves any kind of data collection, you need to ensure you’re keeping up.
It’s a good idea to document your plan to stick to these new rules with regard to any data you collect, however small.
The ePrivacy Directive
The ePrivacy Directive, also being reviewed right now, will complement the GDPR, not replace it. The improvements will also focus on complete transparency for consumers, along with stricter opt-ins for cookies and other tracking technologies.
More resources for you
The entire GDPR is far too large and complex to completely cover in one post. However, there is plenty of great info regarding the GDPR subject online and many brands are sending out emails on the subject.
Here are a few useful links:
Take this seriously and spend a little time checking to see if, and how, these new rules impact your business.