UK businesses must comply with GDPR by 25 May 2018. GDPR stands for General Data Protection Regulation and its function is to harmonise data privacy laws across Europe. Even though the UK is set to leave the EU, UK businesses still have to comply. Non-compliance may potentially come with a heavy fine, but it is important to remember that these fines are discretionary not mandatory and that cases will be considered on their own merits.
Why is GDPR being introduced?
At present, businesses operate under the Data Protection Act. The GDPR also governs data protection, but comes with more responsibilities for business owners than the old Act. GDPR offers better protection for customers, giving them more control over which data your business holds about them.
If your business is already established, you’ll probably be complying with the DPA anyway, and there will only be a few tweaks needed to bring your processes in line with new legislation. If you are in the process of setting your business up, you’re probably in the best position of all – you can hit the ground running with your GDPR compliance.
Under GDPR, customers will have to give business owners consent to hold their data and this consent must take the form of a positive opt-in.
What do I have to do to become GDPR compliant?
The ICO has set out twelve points for GDPR compliance, which you can read here. Some may apply to your business and some may not, but some of the most important are as follows:
Appoint a Data Protection Officer
With any changes to legislation, it’s important that you have a member of staff to act as a central point of information and contact. Choose who will take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Gain consent from your customers to hold onto their data
Probably the most important change that GDPR will bring concerns consent. Under GDPR, customers will have to give business owners consent to hold their data and this consent must take the form of a positive opt-in. In other words, you must have a clearly-written, specific sentence asking people to tick a box to say that yes, they are happy for you to keep their details and send out marketing material. Negative opt-ins, e.g. “Tick this box if you do not wish to hear from our company” will not be an acceptable form of consent after 25 May 2018.
Update your privacy notice
Your privacy notice will have to explain why you are holding onto customer data at all, and must be concise, transparent, intelligible and easily accessible. Your privacy notice must also explain if and how data will be collected and shared with other parties. A great example of these privacy notices can be found here: https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf
Respect your customers’ right to be forgotten
Under GDPR, business owners are now obliged to erase customer data if a customer request that they do so.
Update your data systems
In order to obtain consent from your customers, quickly delete their data if necessary and follow up any possible data breaches, it is essential that your systems for recording customer data are up to date. A good tidy-up of your customer list is always worthwhile, and it’s a good idea to combine it with GDPR compliance.
If you’re unclear if your business is compliant with these new GDPR rules, you can take this self assessment to help better understand where you stand: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
GDPR does carry with it new responsibilities for business owners, but there is no reason why these responsibilities have to be onerous. Estata Marketing can help you bring your systems up to date and contact your customers to gain consent before 25 May. Just give us a call on 07460 388 640 to find out more.