In less than a year, Europe's data protection laws will undergo their biggest transformation since the directive was first established in 1995 and the new regulations are set to impact British individuals, organisations, companies, and charities. The government’s reason for undergoing this change is noted as simple; the current regulations are no longer fit for purpose, considering the amount of digital information being created, captured and stored has increased significantly over the past two decades.
Introduction to GDPR
GDPR widens the scope and definition of personal information to include, among other things, cookies and social media contact details. Organisations will be required to have a legal ground for processing personal information and comply with principles outlined in the GDPR, which involves providing more detailed information to individuals during registration about how their personal information will be used in data collection/privacy notices. Consent must be separate from other terms and conditions and cannot be a precondition of signing up. Plus, certain organisations will have to appoint a data protection officer.
Complying with GDPR
GDPR recognises not all personal data is used in the same way and, therefore, separate regulations apply for controllers, an entity that decides the purpose and manner that personal data is used, and processors, a person or group that obtains records and adapts or holds personal data on behalf of the controller. Generally, for anyone working with personal data, here are 6 rules involved in becoming compliant:
- The senior management team and key staff members must be aware of the new rules and requirements.
- Identify which legal ground under the GDPR your organisation will be using for direct marketing activities, which most likely falls under the consent or legitimate interest sections.
- Understand what personal information is being kept, the way it stored, your purpose for having it, how it was sourced and what third-party organisation you’ve shared it with. All information hosted in the cloud must be clearly communicated.
- Update your data collection/privacy notices to take into account the changes.
- Review your policies and procedures for dealing with a data security breach and responding to subject access requests.
- If you purchase personal information from list owners or outsource processing of personal information, review your contractual arrangements.
Arguably one of the most talked about elements in GDPR is how strict the legislation is being enforced with regulators having the power to impose large fines to businesses that don't comply. The maximum line for the most serious infringements, such as not having customer consent to process data, is four per cent of the business's annual global turnover or €20 million (whichever is greater). Less significant breaches like not having a data protection officer when you are required to or not processing an individual's data in the correct way, can result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater).
Following four years of government deliberations, GDPR is designed to unify data privacy laws across Europe as well as give greater protection and rights to individuals. This new legislation was adopted in April 2016 and will come into force on 25th May 2018. To pave the way for this widespread digital transformation, we're working one-on-one with businesses to audit their operations and adopt regulations appropriately. This may involve updating internal policies and informing staff of new procedures, reviewing data management, cleansing databases, updating policy tools and consent language, as well as revising email marketing presences to ensure there are soft opt ins. Let’s discuss GDPR and how it could impact your business, get in touch with a member of our team today. We're easily reached, through these details: https://www.e3creative.co.uk/contact