If you haven’t heard, the new EU* GDPR (General Data Protection Regulation) comes into force on 25th May. It will affect the way all businesses and organisations collect, use and store data on individuals.
GDPR states data belongs to the individual and not to the business using it. This puts responsibility on to businesses to look after that data and use it sparingly. The individual will have the choice and control over how their data is used. Businesses that don’t take responsibility will lose customers, goodwill, brand loyalty and shareholder value. Businesses that can demonstrate good data governance and compliance will find customers share more data, which might lead to increased revenue.
There will likely be scaremongering about massive fines, but the GDPR is not a huge change from the existing regulations, the Data Protection Act 1998. Yes, the fine limits have gone up, but its about shifting the focus to the rights of the consumer, not imposing fines. The Information Commisioners Office (ICO), who will be enforcing the regulation, claim to prefer a carrot approach, with advice and guidance for compliance, rather than the big stick approach of mega-fines. They feel that an organisation’s non-compliance will have such a large impact on brand and consumer trust, that they wont really need to use the the big stick.
The main point of the regulation is to reinforce the rights of the individual and their right to control data held about them. This means:
For businesses this means a bit of work to make sure they meet the regulations and maintain those standards in the future. It will obviously be more work for large organisations who work with a lot of customer data.
Organisations must ensure data is:
If you have only just started thinking about GDPR compliance, the first steps taken by most organisations involve:
Document all your reviews and changes, and keep these records to show compliance.
Before 25th May 2018 you must inform people upfront about your lawful basis for processing their personal data and ensure that you include it in all future privacy notices.
The best place to start is the ICO website, which has loads of information including self assessment checklists, FAQs, myths busted, and a 12 step guide for how to prepare for GDPR. The ICO have also made a small business advice page to help guide small businesses through the regulations and it details tools and resources available to you.
In summary, the new regulations are an extension, an update to what was there before, brought on by huge advances in how individuals communicate and interact with organisations. They champion the rights of the individual to control their data, and put the onus on the organisations to use it fairly, transparently and safely.
*Post brexit, the UK wont be subject to EU GDPR rules, but we need to be compliant now and then will maintain equivalent regulations to ensure data flow between UK and EU.