Back in August we wrote about how a new Data Protection Bill was set to be published in September this year which would bring the EU’s General Data Protection Regulation (GDPR) into UK law.
GDPR is now officially due to come into force on 25th May 2018 and will mark the most wide-ranging change to global privacy law in two decades.
GDPR will apply to any organisation that provides goods or services to or tracks or creates profiles of EU citizens. Brexit won’t stop its introduction, especially as until March 2019 we remain part of the EU, but in any case it is widely believed that the UK will adopt its own legislation that will incorporate the GDPR legislation.
GDPR should in theory make the business owner’s life easier because there will be clarity as to how they should be controlling data. There are all sorts of new rules that must be followed, with failure to do so resulting in substantial fines that could reach €20 million or four per cent of group global turnover.
How to be GDPR Compliant
As a business, there are three key areas in which you’re going to need to ensure you are compliant.
Anyone you wish to contact for marketing purposes must have opted in to receive communications from you via a ‘clear, affirmative action’. You are no longer permitted to use pre-ticked boxes hidden away at the end of a form or terms and conditions. Neither can any wording that relates to receiving marketing communications be ambiguous or unclear. Opt-outs are no longer allowed; GDPR heralds the age of the opt-in. It’s going to be necessary to cleanse existing mailing lists so that everyone opts in under the new rules, otherwise you will no longer be able to contact them after May 2018.
Right to be forgotten
You can no longer keep data for any longer than you need to, and for anything other than its intended purposes. Data must not be kept indefinitely and any EU citizen will retain the right to request that their data is removed where no legitimate reason exists to process it.
Personal data processing
Data can no longer be held just for the sake of it. A legitimate reason must exist for you to have brought data together. You must also have a clear reason concerning what you intend to do with the data and for how long you will need to use it. You’ll need to be upfront with consumers as to this information.
Time to get ready for GDPR
There is no time to waste in preparing for GDPR. Whilst it may seem a long way off, the fact is there is a lot to do, and if you haven’t ensured that everything is in place by the deadline of 25th May 2018, then you could be at risk of non-compliance fines.
If you have mailing lists that need to be opted in, you should not leave this to the last minute as consumers could well end up fed up with the bombardment of email requests by this time, which could lead to wholesale deletion.
There is useful guidance on the Information Commissioner’s Office website as to how you’ll need to comply with GDPR. You could also talk to your local bookkeepers for tailored advice on the various aspects that apply to your particular business.