GDPR is a new legislation that will come into force by the Information Commissioner’s Office (ICO) as of 25th May 2018 to protect the personal data and privacy of EU citizens. Companies that collect data on any citizen within the European Union (EU) will need to comply with the rules.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years and it replaces the current Data Protection Act 1998 that is in place.
GDPR does not only affect organisations located within the EU but will apply to all organisations outside of the EU that have business connections and behaviour associated with people or organisation with the EU. It applies to all companies that process or hold data or any individual or personal data that resides from the European Union, regardless of the company’s location.
What is personal data?
This relates to any personal data that belongs to or is related to an actual person that can be used to identify that person, whether that be directly or indirectly. This can be anything from a photo, bank details, an email address, telephone number, medical information or a computer IP address.
What are the penalties?
The fines associated with GDPR non-compliance are steep and not a route any business would like to go down. Being compliant before the deadline of 25th May 2018 is necessary to steer clear of these penalties. Any organisation that is in breach of GDPR rules can be fined up to 4% of their annual turnover or €20m – whichever is greater. This is the maximum amount that can be imposed after a serious breach and there is a tiered approach that will be effective however it is worth noting that any organisation can be fined 2% for not having their records in order.
Penalties will be enforced for the following:
- Processing an individual’s data in an incorrect manner
- An organisation not having a data protections officer in place
- Having a security breach.
In order to stay compliant, any organisation must be able to show proof that consent of personal data has been given. This will apply to opt-in forms on websites, for example which will take away the use of pre-checked consent boxes when filling in personal data within marketing material. The individual needs to be given an opportunity to withdraw or opt out at any time.
A company will also need to inform the person what they intend to do with the data and where it is being stored and for what purpose, including indicating a retention period if applicable to the nature of the business.
An individual can report an organisation to the ICO if they suspect there is a problem with the way their data is being handled.
When an individual requests access to their personal data that is being held, an organisation must provide that data within a reasonable timescale.
Make the changes now
As the deadline fast approaches it is important that processes are put into place to accommodate these changes. The changes apply to all business whether big or small and therefore if you are a small business collecting data from your signup forms on your website, this will be a process that you need to manage well to be compliant.
Being clear, honest and open with any person that you come in contact with, and providing details of why you are collecting their data and what you intend to do with it will help streamline the process and put procedures into place for your business.
Working with a number of clients in a marketing capacity here at KJP Creative, we are very aware of the implications that are involved. We ensure complete transparency in all that we do and would in no way misuse any data that we come into contact with.
If you’re looking for advice on the subject with regards to your own business, please feel free to get in touch.