The new rules are intended to increase privacy and protection of individuals by reducing the amount of data held about them by businesses and restricting the use of that data to essential use and only permitted use.
The GDPR also makes it easier for someone to find out what data a business holds about them and for them to ask for it to be removed; it actually goes further by requiring businesses to have a specific reason for holding data about a person.
Failure to act and implement the new rules could incur massive fines and damage your business’ reputation.
Many SMEs have assumed they are too small for the rules to apply, but this is untrue. It applies to any organisation that holds personal information, whether it be data about staff, job applicants, customers, prospective customers, contacts, suppliers or anyone else.
Essentially, SMEs should know what data they hold about people and ensure that they have that person’s consent to control or process it. One major difference between the UK’s Data Protection Act 1998 and new regulation is that businesses need specific permission from the relevant person who must opt in for the different uses of their data. For example it is legitimate to hold data about an order for goods and use that data to fulfil the order and retain essential information for audit purposes but not to use it for future marketing unless that person has specifically opted in to receive future marketing communications.
It goes further in that the opt-in is required for each type of communication. For example someone may opt in to receive newsletters but not other emails or marketing phone calls. Essentially it restricts the unsolicited nature of each form of communication and allows everyone to change their mind by opting out or unsubscribing at any time subsequent to opting in.
In addition to covering the type of data held and its usage, the GDPR also deals with the security of the data held. It requires a business to ensure the data is secure and is protected from “unauthorised or unlawful” processing, accidental loss, damage or destruction.
The opt-in element will have a huge impact on businesses that in the past have used data to market their products or services. In future, recipients of any communications must opt in before receiving the communications. This means them opting in for each and every type of communication, such as e-newsletters, product notices and brochures, discount offers, surveys and telesales calls.
Compliance with the GDPR after 25th May 2018 will be a legal requirement and I understand will be vigorously enforced by the Information Commissioners Office (ICO). I gather the ICO team has been increased four-fold and will be funded by fines for non-compliance. They have produced a helpful 12-steps guide as well as providing regular updates on their website. There is also an information helpline for SMEs on 0303 123 1113, choose option 4.
What about Brexit?
Britain’s exit from the European Union will not affect UK companies’ need to comply with the GDPR. The UK government is currently updating the 1998 Data Protection Act to include all the provisions in the GDPR meaning that it will soon become part of UK law.
Act now to prepare for GDPR
Security of data held should be checked to ensure it is secure and cannot be accessed by unauthorised personnel or stolen by third parties.
You should obtain opt-in permission from all existing contacts and use every form of contact before the 25th May as an opportunity to solicit opt-in since after that date you cannot contact anyone in an unsolicited manner.
An opt-in option and privacy notices should be included on the website where you ask for contact data.
An opt-in option should be included on all direct marketing materials, both online and in print.
Staff should be briefed and trained about the new regulations and the staff induction process updated for all new staff. The staff handbook should also be updated to cover the GDPR.
Review your contracts with any third parties you share data with and review the terms and conditions with customers and suppliers to cover the new regulations.
For businesses with 250 employees or more, there is also a requirement to appoint a data protection officer
There is not long to go before 25th May so businesses need to be focused on obtaining permission from their contacts to contact them in the future and getting their systems and processes up to date as soon as possible.