Back in August we wrote about how
a new Data Protection Bill was set to be published in September this year which
would bring the EU’s General Data Protection Regulation (GDPR) into UK law.
GDPR is now officially due to come
into force on 25th May 2018 and will mark the most wide-ranging
change to global privacy law in two decades.
GDPR will apply to any
organisation that provides goods or services to or tracks or creates profiles
of EU citizens. Brexit won’t stop its introduction, especially as until March
2019 we remain part of the EU, but in any case it is widely believed that the
UK will adopt its own legislation that will incorporate the GDPR legislation.
GDPR should in theory make the
business owner’s life easier because there will be clarity as to how they
should be controlling data. There are all sorts of new rules that must be
followed, with failure to do so resulting in substantial fines that could reach
€20 million or four per cent of group global turnover.
How to be GDPR Compliant
As a business, there are three
key areas in which you’re going to need to ensure you are compliant.
Consent
Anyone you wish to contact for
marketing purposes must have opted in to receive communications from you via a
‘clear, affirmative action’. You are no longer permitted to use pre-ticked
boxes hidden away at the end of a form or terms and conditions. Neither can any
wording that relates to receiving marketing communications be ambiguous or
unclear. Opt-outs are no longer allowed; GDPR heralds the age of the opt-in.
It’s going to be necessary to cleanse existing mailing lists so that everyone opts
in under the new rules, otherwise you will no longer be able to contact them
after May 2018.
Right to be forgotten
You can no longer keep data for
any longer than you need to, and for anything other than its intended purposes.
Data must not be kept indefinitely and any EU citizen will retain the right to
request that their data is removed where no legitimate reason exists to process
it.
Personal data processing
Data can no longer be held just
for the sake of it. A legitimate reason must exist for you to have brought data
together. You must also have a clear reason concerning what you intend to do
with the data and for how long you will need to use it. You’ll need to be
upfront with consumers as to this information.
Time to get ready for GDPR
There is no time to waste in
preparing for GDPR. Whilst it may seem a long way off, the fact is there is a
lot to do, and if you haven’t ensured that everything is in place by the
deadline of 25th May 2018, then you could be at risk of
non-compliance fines.
If you have mailing lists that
need to be opted in, you should not leave this to the last minute as consumers
could well end up fed up with the bombardment of email requests by this time,
which could lead to wholesale deletion.
There is useful guidance on the Information
Commissioner’s Office website as to how you’ll need to comply with GDPR.
You could also talk to your local bookkeepers for tailored advice on the
various aspects that apply to your particular business.
