GDPR: what’s it all about?

In the first of a series of four articles, marketing expert Charlotte Graham-Cumming, director of Varia Solutions, explains the implications of new data protection laws due to come into force on May 25

What is GDPR anyway?

Simply put, the General Data Protection Regulation is a “beefing up” of the current data protection laws. Whether you’re a B2B or a business-to-consumer organisation, if you process any personal information, you need to comply.

You should already have been complying, as a lot of what is in GDPR is already in the current Data Protection Act (DPA). However, one of the biggest changes is that enforcement is about to get a whole lot tougher.

Why has it changed?

The EU wanted to make sure that data protection regulation covers all the ways data can now be shared. It’s now far easier to share information and track people’s behaviour online and the EU wants to make sure this is done lawfully and fairly.

Where on earth do I start?

I would start by understanding what personal data you actually process. Personal data is any information that can be used to identify a person – name, e-mail, telephone, address, etc. And don’t forget your staff data, as this is likely to be more sensitive. Certain “special” categories of data also have more stringent requirements.

You need to understand how the new legislation will affect your business, and how vulnerable you are to security breaches. I know of many companies that have been caught out by hackers, lost money and data, and then been fined by the Information Commissioner’s Office (ICO) because they did not have stringent enough processes and technology in place.

Key points: what’s changed?

  1. Increased territorial scope
    The law applies to anyone, regardless of location, that processes the data of EU citizens – and yes, even the UK ones, post-Brexit.
  2. Penalties
    €10m or two per cent of turnover, whichever is greater, for not having the right processes and paperwork in place.
    €20m or four per cent, whichever is greater, for not having the right security and protection in place.
  3. Consent
    This has been strengthened and must be clear and unambiguous. It’s no longer OK to hide it in lengthy terms and conditions, and it must be very clear and tied to the original purpose. It must also be as easy to withdraw it as to give it.
  4. Data protection officers
    In consumer electronics, you’re unlikely to need a ‘formal’ DPO (data protection officer), however you should appoint someone in your business, or third-party supplier, who is knowledgeable about GDPR to oversee your responsibilities in this area.
  5. Breach notification
    Right now there is no time limit for this, but as of May 25 you’ll have 72 hours to report a breach. You will also be required to inform your customers.
  6. Right to access
    You have 30 days to provide any information you hold on someone and what you do with that data, in an electronic format, if they request it.
  7. Right to be forgotten
    You are required to erase someone’s data if they ask you to, or if the original purpose is no longer valid. You must also ensure that third parties comply.
  8. Data portability
    A data subject (customer) can request that you send their data to another party – for example, if they are changing service providers.
  9. Privacy by design
    You must now integrate data privacy into the design and development of new systems and processes.

Ask yourself…

  • Could I respond to someone asking me for all their data, and details of the processing that I do with it? This should include employees and customers – both retail and service.
  • Could I identify and respond to a data breach? Do I know what a data breach means in my business? Have I adequately protected my business?
  • Do my staff understand what GDPR is? Do they know what our processes are?
  • Do I know where all customer and employee data is stored, and whether it is accurate and up to date?
  • Do I have the right to process and store the data I’m using? Can I provide evidence of this, if required?
  • Do I know what third parties are doing with the data that I share with them?
  • Can I provide evidence that I’ve taken steps to be compliant?

If you answer ‘no’ to any of these, then you’ve got some work to do. It doesn’t have to be complicated or drawn out, but you can typically get it done faster with external help.