While the 25th of May 2018 seems like a lifetime away, the effects of GDPR will have severe implications for any business handling ‘personal data’. Fail to adhere to GDPR and your business could be fined up to 20 million Euro, or 4% of annual turnover – not profit – whichever is greater.
To illustrate what that means in real terms, TalkTalk’s 2016 fine of £400,000 would have instead reached an eye-watering £59m under GDPR.
Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board.
The time to act to ensure your business doesn’t fall foul of GDPR is now. To help you get prepared, we’ve put together a quick guide to GDPR and what it might mean for your business.
It’s said that the amount of data held globally is increasing two-fold every year, and this is expected to continue until at least 2020. A large part of that data is personal data held by businesses about individual citizens. Currently, there is no single piece of legislation to define what those companies can and cannot do with that data.
The aim is to give EU citizens greater control over how their own personal data is used. According to the European Commission ‘more than 90% of Europeans want the same data protection rights across the EU – and regardless of where their data is processed.’
The What of GDPR
With a greater emphasis on individuals’ control of their own data, GDPR places significant importance on the issue of consent.
As an example, while businesses can currently collect data with implied consent – a pre-ticked box – under GDPR consent will have to be actively given. That likely means a double opt-in process of data collection to best comply with the regulations.
Secondly, GDPR hands citizens of the EU the right to know exactly how their data is being used. For instance, whether it’s being used for marketing purposes or subsequently handed to third parties for less transparent reasons. And authorisation must be sought.
The Issue of Consent
If 95% of the conversations we’ve had are to be believed, the bulk of the concern surrounding GDPR relates to consent.
Do our data collection methods comply?
Will we have to delete the data we’ve already collected?
Well, the time of implied consent is certainly over. And the Information Commissioner’s Office (ICO) has declared that the standard of consent should be ‘specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.’
Consent must be actively and freely given. Should the individual then wish to revoke consent it should be as easy to do as was opting in. That sounds reasonable and straightforward. But consider the issue of Wi-Fi data collection.
If a hotel or cafe demands that an email address is given in exchange for use of Wi-Fi, is that choice really free whether or not a box has been ticked? And this is something that all businesses should consider; backing customers into a data collection cul-de-sac isn’t necessarily ok as long as they tick a box.
The complexities of data collection and whether or not your business complies is something for you to consider independently. If you’re unsure, consult your legal advisor.
But at the very least, we’d advocate taking the best possible steps to ensure compliance. For instance, adopting the US method of obtaining consent is advisable; the double opt-in.
This sounds daunting compared to the soft opt-ins we’re currently used to, but it’s relatively simple to set up and can have its benefits; improved open and click-through rates, for instance
This might look like:
- A data capture form with opt-in box that requires active consent to be given
- An automated confirmation email sent to new subscribers requiring action to confirm the double opt-in
- An integrated process that stores a timestamp of when both the first and second opt-in were given
The above process not only ensures that the data you’re collecting complies with GDPR, it provides your business with evidence that you have followed the regulations.
Actually, moving your data collections towards compliance should be relatively simple in practice (though potentially difficult to move past your business procedures). What is potentially more concerning for businesses is whether the data they’ve already collected complies with GDPR.
The ICO has declared that for consent to be valid, you must be able to prove exactly when that consent was given; it must have a timestamp attached to it. If there is no timestamp then you must either delete the data or seek consent by sending an email to your database requesting opt-in once again.
Should you fail to ensure your data is compliant these consequences would likely be financially severe and damaging to your brand.
Where to start?
If you’re completely stuck with where to begin, consider using a self-assessment tool, which will aim to give you an idea of your readiness to comply. Microsoft has free tools available for this purpose…
Next, complete a data audit of all the information that you hold, so you know exactly what you’re dealing with, where it came from and who it’s being shared with.
Understandably, the ICO is also taking steps to speak positively about the new regulations, possibly in a move to lessen any panic or ill-feeling. A spokesperson for the organisation has said:
there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge.
This suggests that despite all the hard work that businesses will have to put in before May next year, the benefits could be substantial, particularly if people begin to view them as trustworthy and respectable.
If you would like to find out more about GDPR or want to make sure your business is compliant, get in touch to discuss one of our digital experts running a workshop for you and your colleagues.