What is GDPR?
The General Data Protection Regulations Act will become enforceable on 25th May 2018 to supercede the EU Data Protection Directive of 1995. Having been enacted before the explosion in the amount of digital information collected and stored, the previous directive required updating to drastically increase and harmonise personal data protection for individuals within the EU. It also applies to the export of personal information outside the EU. Despite Brexit, the regulations will also be made law within the UK.
How will it affect my business?
Fundamentally the regulations signal a shift in how personal data can be gathered, stored and used, in order to protect European citizens’ rights. The regulations aim to clarify the legal implications of personal data collection, usage and storage and make data protection laws identical for businesses across the UK and EU. Every business will need to ensure compliance with the regulations when processing and storing personal data from customers or staff, and make it explicit how this will be used. Personal data includes any information that can be used to identify a living person including addresses, phone numbers, email addresses and any other online identifiers. If it’s possible that an individual could be identified by a pseudonym or avatar – this will also fall under the law.
The onus for an individual’s data protection will now be on the businesses who process their personal information, rather than the individual themselves. For example, many businesses large and small have up to now been quite ‘relaxed’ in the ways they have gathered and used personal data collected from customers and contacts; automatically sending email marketing to people who have not specifically ‘opted out’ of marketing communications. The new regulations will mean that marketing may only be sent to individuals who have specifically ‘opted in’ to a particular list with a particular purpose. There are also implications for the use of tracking codes on your website for remarketing purposes and for the provision of personal data information you hold to individuals when requested.
What if I don’t comply?
You could be in for a hefty financial penalty! The new regulations require all businesses to follow best practice and fines of up to 4% of annual turnover are possible for non-compliance or serious infringements of the regulations.
What do I need to do to ensure my business is compliant?
There is a checklist produced by the Information Commissioner’s Office (ICO) for businesses to follow to ensure that they are GDPR compliant by 25th May. The full document can be accessed here but these are the 12 steps in brief:
1. Awareness: if you haven’t done so already, designate or hire a person or team to be responsible for following the procedures towards achieving compliance within your business. Make sure key the figures in your organisation are all aware of the upcoming changes to GDPR and understand that your business needs to be compliant.
2. Information audit: carry out an audit of all the personal data your organisation holds, what it uses it for and why.
3. Review privacy notifications: check what you already have in place and make a plan to update your website and any other data gathering tools accordingly.
4. Individuals’ rights: check your current procedures and how they affect individuals’ protection rights.
5. Subject access requests: plan to put procedures in place to deal with individual access requests for personal data.
6. Personal data and the law: identify the lawful basis by which you will be processing your customers’ personal information and update your business privacy notifications to make this explicit.
7. Review consent procedure: review how your business currently seeks, records and manages consent for the collection, storage and usage of personal data and update the processes if necessary.
8. Children: do you need to implement any procedures to check ages or obtain parental or guardian consent for processing information? The rules regarding the personal data of children are stricter.
9. Data breaches: ensure you implement systems to detect and act upon any breaches in personal data processing.
10. Privacy impact assessments: make sure you are familiar with the code of practice on Privacy Impact Assessments and how and when to implement them.
11. Data protection officers: consider the responsibilities of this role and whether you need to formally designate a Data Protection Officer position in your organisation.
12. International: check out the implications if your organisation carries out cross-border data processing in the EU.
How PMOD can help.
Don’t panic, but there’s definitely some administrative and procedural work for businesses to start doing now to get compliance issues and updated privacy notifications in place before 25th May.
If you’re struggling to find the time to organise the processes for dealing with GDPR, PMOD can assist your organisation by carrying out an audit of existing data gathering and usage, and the privacy processes in place, to help manage the implementation and continuation of your compliance projects. Get in touch to find out more.
Project Management On Demand supplies skilled Project Management professionals to digital businesses when they are needed most. Working remotely or in-house, our PMs look after your key deliverables, mitigate issues, and keep your critical path on-track, and your clients happy. For more information on our services, visit www.projectmanagementod.co.uk/our-services