The GDPR – What you need to know
The General Data Protection Regulation (GDPR) is an EU wide law coming into effect in May 2018. The laws concerning personal data and its management is going to change. The aim is to ensure that the personal data of all EU citizens has more protection. It introduces new policies and procedures that all data owners and brokers must adopt.
The GDPR itself is still subject to change before it comes into effect. So make sure you keep an eye on it to ensure you stay one step ahead. Also, it is key that we mention the GDPR applies to all businesses in the UK that manage data. Regardless of the ‘Brexit’ referendum campaign, this regulation will still apply to UK businesses and who will be liable for any breaches.
Key Highlights from the GDPR
Below are some of the key changes that the regulation introduces. All companies that manage and process data must ensure they are compliant with these changes before May 2018.
The regulation applies to every company that owns or manages data on EU citizens. Even if your business is not within Europe or the European Union, it will still apply. This also means you will be liable for any and all breaches of data under this regulation. For companies based outside Europe that process data of European citizens, you will need to appoint a representative. This territory expansion outlines the EU’s intent on ensuring all its citizens have high levels of protection.
Explicit Consent Required
The law concerning the processing and management of personal data is due to change. Companies must make it abundantly clear on any forms or pages where the opt-in is for their personal records. Having an opt-in hidden inside terms and conditions will be forbidden. It is also a companies responsibility to ensure that opting out is just as simple as well. For any data that is of individuals under 16, explicit consent from the parents is required. This ensures protection for potentially vulnerable people.
Rights to Access
The GDPR outlines specific guidelines concerning an individuals right to ascertain:
- Confirmation that their data is being processed
- Access to their personal data
This allows an individual to make sure their data is processed legally and in full compliance with the regulation. They also have the right to this information for free. For all requests, you have up to one month of the request date to respond.
The new regulation gives power to individuals about the holding on their personal data. If they no longer wish to receive any marketing material, they can instruct the data owners/ managers to remove their record. This right is not automatic and so there are certain circumstances that allow this (to name a few):
- In situations where the original purpose of processing their data is no longer relevant.
- Where the individual withdraws their consent.
- When they object to the processing of their information.
- Unlawful processing.
Third parties will also need to be notified of any removals if the individual records are on their data lists.
If any of the data you hold is inaccurate or out of date, the individual it relates to has the right to have this corrected. This includes, incorrect names, addresses, email addresses etc. If the inaccurate record in question is shared with any third parties, the third party must also be made aware of the changes. The individual also has the right to know who these companies are. For all requests of rectification, companies have one month from the date of request to respond.
Data Protection Officers
One of the major additions that has also come with the GDPR is the introduction of Data Protection Officers (DPO). You must appoint a DPO in your company if:
- You are a public authority.
- Your business undertakes large scale monitoring of individuals as part of its core business processes.
- You carry out large scale processing of special categories of data or data that relates to criminal offences.
The regulation goes into detail about the various roles that will be the responsibility of the DPO. A number of these are below:
- Advise and ensure the company is complying with all regulations set out in the GDPR and any other data regulations such as the Data Protection Act for example.
- Monitor company protocols to ensure it is complying with the regulation.
- Oversee the training of staff so they act in accordance with the regulation.
- Be on hand to correspond with all authoritative bodies and individuals enquiring about their personal data.
A DPO may be internal but you must list their contact details so regulatory bodies can contact them. It is also a requirement that the DPO has expert knowledge in the field and all relevant laws. You can also outsource the role if necessary.
Penalties For Breaches
The regulation has come with some stern penalties for any breaches. The maximum fine in place is either 4% of your global turnover or €20 million. They will demand whichever figure is larger. It is worth noting that there is also a tier system in place for differing levels of offence.
The information above is just some of the many changes that are coming with the GDPR. One of the main reoccurring themes is that businesses need to actively show they are complying. It is going to be heavily monitored therefore we highly recommend you read the full regulation. If you own or manage data you need to ensure everything is in place by May 2018.
Also, there are many companies that are on hand to assist your business prepare for the GDPR. If you manage data and need advice on what you need to do, have a look at ICO’s website here.
At Impact Marketing, we own and manage a number of different data lists. These are fully managed, compliant and cleansed on a regular basis. Get in touch today and a member of the team will be happy to discuss your marketing needs through with you.