Data Protection Shake-Up: What You Need to Know
Britain is leaving the EU, but that doesn’t mean it isn’t business as usual until our exit on 29th March, 2019. We’ll still have to apply rules and regulations from Brussels in the meantime, and possibly after depending on the deal that’s negotiated, so it pays to be alert to changes coming down the pipeline – to be sure the only expense you’ll incur is a modest amount of time and not a hefty fine.
So, what does the EU have planned?
Retailers, direct sellers, marketers and anyone that handles customer data, pay attention. The unwieldy acronym GDPR, standing for General Data Protection Regulation, will have consequences when it comes out in May, 2018.
Applying to EU citizens’ personal data, the GDPR has been proposed to tighten up how businesses regard data protection, strengthening people’s control over how firms gain and use information about them.
Data protection’s been around for many years, a consequence of lawmakers reacting to the rise of information technology, so how businesses treat employees’ and customers’ information has become embedded in their day-to-day operation. The broad limits of what we can, or cannot do, have become part of everyday common sense. Where that alone isn’t enough, many larger firms now have data protection officers on the payroll to ensure compliance.
As a result, there’s little chance of punishment for being completely cavalier and totally ignorant of the essentials of adequate data protection. The risk lies in how regulatory bodies, like the EU, make additions to existing law that require positive action – not merely for businesses to simply observe the rules from their introduction, but to go back and rethink their processes, and be prepared to fulfil new requests.
There’s the saying that ‘small leaks sink big ships’, in other words, that oversight of little things, of detail, really matters. It could sink your business. And the GDPR is a case in point.
Its affect is most visible on three areas.
Opt-ins and Opt-outs
To begin, there’s opt-ins and opt-outs. Longstanding complaints surrounding the ambiguity of signing up to company mailing lists, with many unable to pinpoint when they said yes to endless emails, and then unsubscribe, have prompted changes. The GDPR mandates this process must be clearer, no longer should unsubscribe links or opt-out buttons be buried in fine print and third parties handling data must be specified, and there’s potential for this rule to apply retrospectively.
That last bit, retrospective application of the rule, could cause a real headache. It’d mean reaffirming that everyone on your mailing lists and in your databases still wanted to be there. And if people didn’t respond by a certain point, didn’t express their permission, but ultimately still wanted their data to be used, they could be removed inadvertently.
The upside is that it could be a good excuse to prune company systems of dormant people.
Right to be forgotten
Touching on removal, there’s also the right to be forgotten, which the GDPR will reinforce. This means granting individuals ability to access, and delete, their data when they withdraw consent for it to be used, an organisation’s handled it inappropriately or there’s no further reason for it to be stored. Businesses need to be alert to those who want to exercise this right.
And, finally, there’s the way the GDPR amends the legal basis for personal data processing – that there should be clearly defined reasons for harvesting, and using, such information. It can’t be amassed for an unspecified reason that becomes apparent at some arbitrary future point. It can be amassed for a specified reason, in the here and now, that the person who surrendered their information was aware of and approved.
Noncompliance, as mentioned, results in penalties. But how hefty? Scaling up as breaches increase in severity, they start with written warnings, become data protection audits and finish with fines. The first bracket specifies you could be landed with a bill of €10 million, or 2% of global annual turnover, whichever’s highest, and the second €20 million, or 4% of global annual turnover, again whichever’s highest.
Ignore GDPR at your Peril
So, for the time being, EU regulations such as the GDPR are going to continue to roll in. Ignore them at your peril. We’ll be back in future months with further content on this topic and how our software and the team here in Grantham can help your business cope with these changes.
Our blogs are written to keep you ahead of the curve. Our software, Khaos Control, does too. Ensuring peak efficiency from your business, it’s one system that combines business functions, ranging from stock control to CRM, accounting to purchase orders, streamlining processes to reduce errors and cost. It’s not something you can afford to miss out on, so request a free demo today.