A wild stab in the dark but are you getting annoyed reading about GDPR and the dozens of automated emails and pop-ups about GDPR? You don’t want to ever hear about GDPR again, do you?
Well, to be honest, we don’t either but it’s important that we’re all aware of what’s happening and how it affects businesses who hold and process data. It’s not sexy, but it’s vital we all know what’s going on.
What is GDPR?
It stands for General Data Protection Regulation and on May 25th (a few weeks from now), it will come into force.
Over the past few years you may have come into contact with the phrase ‘big data.’ In a nutshell, it allows the data collected from consumers to be used by brands to target them with highly personalised ads, products and services. While these services may be useful, the way that the data has been obtained has come into question.
The original regulations were drawn up in the early 1990s at a point in the lifecycle of the internet where no-one could have foreseen how powerful and all-encompassing it was going to be. A re-write was long overdue.
GDPR puts the power back into the hands of the data source (you). It’s designed to give you more control over how your personal data is used and stored.
Put simply by dummies.com, ‘The GDPR covers any information that can be classified as personal details or that can be used to determine your identity and parental consent will be required to process any data relating to children ages 16 and under.’
That data includes your:
- Address and phone number/s
- Email addresses and IP addresses
- Social media posts
- Personal medical information
- Banking details
It covers anything that can be used to identify someone and that now stretches to genetic data, political or religious views and even sexual orientation. Where personal data is concerned, one of the major differences between the new GDPR legislation and current (soon to be old) data protection laws is that it also includes what is known as ‘pseudonymised personal data’, meaning that it is now possible to identify someone by a pseudonym.
The new GDPR gives everyone the right to request that personal data held on them be securely erased and companies will be legally obliged to delete data when:
- The information a company holds on them is no longer necessary for the purposes for which it was originally collected
- The information wasn’t collected with the explicit, informed consent of the subject (you)
- The information was unlawfully processed
Who Is Affected?
In short, everyone. Any business, organisation (including charities, voluntary groups and member’s clubs) and individual who either controls or processes data is subject to GDPR compliance (and if you’re unsure if you fit into either category, click here for guidelines published by the Information Commissioner’s Office).
There are different compliance rules for companies of different sizes but this, from service design agency Nile HQ is an excellent piece of advice; ‘it’s worth remembering that data protection is more than a compliance issue. Customers care about their privacy and expect businesses to respect that. It’s good business sense to demonstrate that you ‘get’ this cultural aspect, as well as the financial one.’
They key here is not to get overwhelmed by what you have to do. Like it or not, GDPR is about to become an important element of your organisational culture and it will help you to manage data more effectively.
- Know what you have, and crucially, why you have it
- Manage your data in a structured way
- Know who in your organisation is responsible for it
- Encrypt data you wouldn’t want to disclose
- Create a culture that is ‘security aware’
- Be prepared (we think this one was stolen from the Scouts)
Here’s a great infographic which explains the above clearly and concisely.
The Business Impact
Let’s start with the bad news.
There are of course fines for non-compliance (and you can read what you can specifically be fined for here). The two toughest are up to €10m or 2% of the company’s global turnover of the previous financial year and the second rises to €20m or 4%.
Massive fines aside, GDPR will undoubtedly have an impact on all businesses, especially SMEs. Again, from Nile HQ, ‘The new rules will require businesses large and small across the globe to transform their policies, structure and personnel to ensure compliance and adherence. Data protection and security has to be built into the fabric of organisations rather than farmed out or siloed.’
But instead of asking ‘what is the impact of GDPR on our business’, perhaps the question should be rephrased to ‘what are the opportunities that GDPR offer us?’
It should be made clear at this juncture that we are not suggesting for a second that anyone is doing anything underhand with the data they hold but making sure your customers, clients, shareholders and other stakeholders know that as a business, you are taking the control and processing of data seriously, ethically and responsibly can’t be a bad thing.
Like with all these things, the hype is often worse than the truth but GDPR isn’t something that can be swept under the carpet and dealt with when there’s some spare time. We’ve included the official EU legislation and the guidelines published by the ICO but the internet is chock-full of advice, checklists, information and articles about what you need to do so take a look and make sure you’re GDPR compliant by May 25th.
Have a good week.