Remember all the furore over Y2K? Planes would fall from the sky, banks wouldn’t function, our personal computers would stop and so on; but in the end it seemed that many of the risks were exaggerated. So, one might ask “is all the hype over EU General Data Protection Regulation a similar over-the-top reaction?”
In short – NO!
Despite the thousands of column inches attributed to the implications of these legislative changes coming in to force on 25 May 2018, it is predicted that over 50% of SMEs and over 30% of large companies will be unprepared for the introduction of some of the most important laws affecting businesses’ sales, marketing and IT activities.
And just to be clear, these are not new guidelines – they are laws; and the maximum penalty for flouting them is Eur20m or 4% of worldwide turnover, whichever is the higher - easily enough to put many SMEs out of business!
Who Does GDPR Affect?
Every company that collects or processes personal data on a EU resident is affected. And the GDPR definition of “personal data” is much wider than the old DPA one, including, for example, monitoring the behaviour of EU residents by tracking their digital activities; effectively, that could include pretty much all companies’ websites and/or apps. Also included are any data that can be used to identify individuals – personal and company emails, IP addresses or still or video images for example; so, it’s difficult to see which companies won’t be affected.
Sales and Marketing Take Note, It’s Not Just an Issue for IT and Compliance
GDPR is a fundamental change in the way that data collection and use is regulated. Historically we have been used to relatively straightforward laws and low levels of enforcement; GDPR probably has the most onerous personal data laws and penalties in the world.
Of course, that means enhanced compliance procedures and processes – not only are companies forced to apply the new laws, but they must also be able to demonstrate that they are compliant. This in turn has wide implications on IT for example how data are stored, indexed and transferred.
But equally important are the implications for Sales and Marketing, who will need to adopt an entirely customer centric attitude; many will need to completely rethink the ways they collect and use customer and prospect information, paying heed to the new, exacting requirements of consent and privacy.
What About Brexit?
“Won’t everything just get back to the old ways after we leave the EU?” ….NO!
Clearly, for companies wishing to trade in/with the EU, the new laws will be in force (and enforced). For others continuing to trade within Britain (or with non-EU countries), commentators believe cyber security and data privacy is so important that we’ll continue to adopt into UK law post Brexit the principles of GDPR.
Time is Running Out
May 2018 might seem like a long way away – but our advice is don’t delay – GDPR affects all companies that hold any personal data, assess whether you need external help and start planning now.
5 GDPR Steps to Take Now
- Know your data - Document what personal data you hold, where it came from and who you share it with.
- Consent must be explicit (and freely obtained) - Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Privacy is key - Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals have rights to see manage and port data you hold on them - Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Breaches can be costly - Make sure you have the right procedures in place to detect, report and investigate any personal data breach.
Certified GDPR Practitioner