GDPR – How does it affect you?

Remember all the furore over Y2K? Planes would fall from the sky, banks wouldn’t function, our personal computers would stop and so on; but in the end it seemed that many of the risks were exaggerated.

So, one might ask “is all the hype over EU General Data Protection Regulation a similar over-the-top reaction?”

In short – NO!

Despite the thousands of column inches attributed to the implications of these legislative changes that came in to force on 25 May 2018, over 50% of SMEs and over 30% of large companies were unprepared for the introduction of some of the most important laws affecting businesses’ sales, marketing and IT activities. Many of these still have not taken the steps to comply.

And just to be clear, these are not new guidelines – they are now the law; and the maximum penalty for flouting them is Eur20m or 4% of worldwide turnover, whichever is the higher – easily enough to put many SMEs out of business!

Who Does GDPR Affect?

Every company that collects or processes personal data on an EU resident is affected. And the GDPR definition of “personal data” is much wider than the old DPA one, including for example, monitoring the behaviour of EU residents by tracking their digital activities. Effectively, that could include pretty much all companies’ websites and/or apps.  Also included are any data that can be used to identify individuals – personal and company emails, IP addresses or still or video images for example. So it’s difficult to see which companies aren’t affected.

Sales and Marketing Take Note, It’s Not Just an Issue for IT and Compliance

GDPR is a fundamental change in the way that data collection.

and use is regulated. Historically we have been used to relatively straightforward laws and low levels of enforcement; GDPR probably has the most onerous personal data laws and penalties in the world.

Of course, that means enhanced compliance procedures and processes – not only are companies forced to apply the new laws, but they must also be able to demonstrate that they are compliant. This in turn has wide implications on IT for example how data are stored, indexed and transferred.

But equally important are the implications for Sales and Marketing, who need to adopt an entirely customer centric attitude; many need to completely rethink the ways they collect and use customer and prospect information, paying heed to the new, exacting requirements of consent and privacy.

What About Brexit?

“Won’t everything just get back to the old ways after we leave the EU?” ….NO!

Clearly, for companies wishing to trade in/with the EU, the new laws will be in force (and enforced). For others continuing to trade within Britain and non-EU countries, cyber security and data privacy is viewed as being so important that we’ve committed to continuing to adopt into UK law the principles of GDPR – post Brexit.

Time is Running Out

May 2018 may have passed without crisis – but our advice is don’t delay – GDPR affects all companies that hold any personal data. Assess whether you need external help and start planning now.

5 GDPR Steps to Take Now

• Know your data – Document what personal data you hold, where it came from and who you share it with.
• Consent must be explicit (and freely obtained) – Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
• Privacy is key – Review your privacy notices and make any necessary changes for GDPR implementation.
• Individuals have rights to see manage and port data you hold on them – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
• Breaches can be costly – Make sure you have the right procedures in place to detect, report and investigate any personal data breach.

Colin Jupe
Certified GDPR Practitioner