What would you do with 20 million Euros? How about 4% of your annual turnover?
There’s one thing we know for certain that you won’t want to do with it: pay the larger of the two as fines to the European Union. That’s a risk facing businesses of all sizes in the UK from May 2018, as the General Data Protection Regulations (GDPR) come into effect.
You’re here because your professional services firm wants to stay compliant with new data protection compliance regulations that allow you to build customer relationships and generate leads online in an ethical manner.
In this post from our series on GDPR and Your Business, we’re going to explain GDPR, the impact on your business and how you can become compliant.
What is GDPR?
As stated above, GDPR stands for the General Data Protection Regulations and affects all companies controlling and processing data within the EU. It is designed to strengthen the data protection provisions already in force under the Data Protection Act 1998 and as an EU regulation, it has a direct effect on UK law. Because this regulation encompasses all global firms dealing with EU-based customers, it supersedes the UK-only Data Protection Act of 1998.
The law aims to further protect online consumers by clearly defining the rights of an individual within the EU when it comes to their data. Importantly the definition of personal data also includes company data, so the law is of relevance to all businesses, both for B2B and B2C organisations.
How will GDPR Impact my Business?
As a business, the crux of GDPR comes down to how you control and process all data - namely this must be done lawfully and transparently.
Data can only be used and held for a specific purpose and the consent given must relate to that purpose. Under the existing Data Protection Act companies often rely on generic ‘marketing’ consent or even presumed consent unless you opt out.
This generic consent or opt-out consent will not comply with the GDPR regulations. Under GDPR you must have documented and evidenced consent for every purpose. For example, if someone opts into email marketing you cannot use this consent to send them a letter or call them or their company.
The definition of personal data is also being expanded under the GDPR regulations. Personal data is now defined as any information that can be used to directly or indirectly identify a person or company. Things such as IP addresses and cookies, for instance, can refer back to data subjects.
For many companies, especially those relying on more outbound methods of marketing this is going to be a significant and potentially costly change to implement.
How can my business prepare for GDPR?
The first steps to preparing for GDPR is to ensure that everyone in your organisation understands the regulations, their impact and the changes required.
The ICO recommends that every business designates a dedicated Data Protection Officer (DPO). Some large scale businesses handling sensitive data are mandated to by law; nonetheless, the ICO recommends all businesses have a trained DPO to act as the internal expert and ensure business compliance.
We recommend completing an audit of how your business currently stores and collects data, focusing on the consent that is given. This becomes especially important if you employ mainly outbound marketing methods.
The good news is that Inbound Marketing broadly follows the GDPR principles, customers are coming to you requesting information and inherently providing consent. However, that does not mean that you are automatically compliant your processes still need reviewing. This includes ensuring you have:
- An audit trail of consent which can be used as evidence against any complaint
- A double opt-in system that only uses consent for one method of contact at a time
- A method for deleting and removing data at the request of the data subject
- Consent must also extend to IP and cookie tracking, and also ensure you have guardian consent for any data held on children
Implementing all of these safeguards can seem daunting. But if you start to act now you can ensure compliance in time for next May.
Does Brexit Affect GDPR?
No, all EU laws have a direct effect in the UK and as part of the Great Repeal Bill envisaged for Brexit we are incorporating all existing EU laws into the UK. So GDPR will still apply after Brexit.
Full compliance with GDPR is no small task, and professional services companies are likely to want to have a head start in addressing data protection issues and risks.
Throughout our series on GDPR, we’ll be addressing a variety of matters to help your firm comply with the latest data protection regulations.
If you want to learn more about GDPR, book a free Inbound Marketing Assessment with one of our experts.