The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. The new rules replace the old Data Protection Directive and will literally affect every single business outside the USA that collects data about people living in the EU. As you may have heard, businesses that don’t comply with GDPR could face hefty fines of up to 4% of their annual turnover, or €20 million (whichever is greater). Scary stuff, huh?
So what’s GDPR all about, then? Well in a nutshell, it’s designed to give consumers more protection and increased privacy around the information companies hold about them. People will have more rights over the type of data that’s collected (names, email addresses, dates of birth so on) and how this is used.
Under one of the more controversial elements, people can even ask you to transfer their personal data to someone else – effectively giving them carte blanche to hand their custom over to your competitors. Eek!
There are 8 key principles within GDPR. You must make sure the personal info you store and collect is:
- Treated fairly and in line with the law.
- Obtained and used only for the purposes you specify.
- Adequate, relevant and not excessive (e.g. why hold someone’s date of birth if you don’t do age-based marketing?).
- Accurate and up to date.
- Not kept for longer than necessary and deleted on request.
- Processed in line with consumer rights.
- Held with appropriate levels of data security.
- Not transferred abroad without ensuring adequate legal protection.
If your business suffers a data breach, you’re legally obliged to let the Information Commissioner’s Office know within 72. And as noted above, any breach could result in an eye-watering fine. So, rather than sitting around and waiting for 25th May to come around, I recommend you act NOW!
Other Things To Consider
Getting your data and IT security ducks in a row is just one aspect of GDPR. There are other things to consider, too, such as appointing a Data Protection Officer (DPO); reviewing your data to see what you need and don’t need; putting robust passwords in place; and contacting your customers to tell them what data you hold about them and why. Luckily, there’s lots of information online, or you could book onto a training workshop or seminar to help your business prepare effectively for GDPR.
And Finally… Some Good News
GDPR might sound like a lot of hassle, especially if you’re a small business with limited time and resources. But there are some benefits to compliance – like showing your customers you’re a trustworthy organisation that takes care to protect their privacy and personal information. So it’s not all bad, is it?