GDPR Part 1: Are you ready?
There’s a massive change coming to way we collect, store and use client and customer details. This change is set to shake up how every organisation in the world operates and if you haven’t started thinking about GDPR, now’s the time!
The General Data Protection Regulations (GDPR) seems to have gone under the radar a little bit and general awareness has been pretty relaxed. This is a surprise considering the global impact it will have. If you don’t know anything about GDPR, it’s worth spending some time researching what it means and make contact with an independent advisor if you are concerned about how it will affect your business.
To help you get started, here’s a bit of background on the new law:
What is GDPR?
GDPR is a European privacy law designed to regulate how individuals and organizations may obtain, use, store, and eliminate personal data belonging to EU citizens. It will replace the UK’s 1998 Data Protection Act and will officially be enforceable from May 25, 2018 – enforceable means that there will be no “grace period” and every business must be compliant by this date.
Does it apply to me?
The GDPR applies to any business that stores personal data belonging to an EU citizen, regardless of if they offering goods or services or payment being taken. So, if you store any personal data belonging to an EU citizen, even if your business is registered in Timbuctoo, then yes, GDPR applies and will affect the way you operate.
What is personal data?
The GDPR definition of personal data includes any identifiable information. This means a name, email address and postal address counts as personal data. This is pretty much the standard information every business needs to make general contact with a customer or client.
GDPR definition on personal data – ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
What about ‘Brexit’?
Leaving the European Union will have little impact on a UK businesses’ requirements to comply with the GDPR. The GDPR affects any company in the world that holds and processes personal data of EU citizens. So, at present that applies to UK contacts, and even after Brexit, if you have just one EU member contact in your database/CRM/Accounts package, you will need to comply to the GDPR. Regardless, it is also expected that the policy will be copied into UK law following our exit from the European Union – so, there really is no escaping this one!
What happens if you aren’t compliant?
Well, for minor infringements you’re likely to receive a warning. However, if there is a gross misuse of data, or you fail to heed warnings, there are some hefty fines for non-compliance. Financial penalties can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.
What does this mean for me?
This really depends on the type of data you store. Organisations that store a lot of sensitive, identifiable personal data, such as location data or health data will most likely have the largest changes to make. Smaller organisations should only need to make minor changes to their processes. Regardless, every organisation will need to look at the way that information is stored and ensure their customers know why they have/need that data. For more information, read our ‘What does GDPR mean to my business?’ article.
For more information on how GDPR will affect the most common digital marketing platforms, including email marketing platforms, read our ‘GDPR and the tools marketeers use’ article.