As many of you may know, GDPR is now in effect! However, some of you may be thinking ‘GDPR, what???’. There is no need to worry, as we’ve got you covered! This email tells you what GDPR is and how it may affect you and your business.
What is GDPR?
GDPR stands for the General Data Protection Regulation. GDPR is a new law which aims to have a singular set of data protection rules across the EU and to give individuals better control over their personal data. As of the 25th May 2018, GDPR will come in to affect and replace the Data Protection Act 1998.
What will happen if I break GDPR law?
GDPR breaches will not receive minor consequences. If an organisation breaks GDPR law, they will be subject to a €20 million or 4% global annual turnover fine- whichever figure is higher.
Does GDPR apply to my business?
The law applies to all those who control or process personal information of any EU citizens, regardless of the location of the business. If you are not sure whether GDPR will apply to you or not, consider whether you market to EU citizens and/or monitor the behaviour of EU citizens- If so, GDPR will apply to you.
How does GDPR affect my business strategy?
GDPR will create BIG changes in the ways a business will/can use specific marketing techniques to prospective or current customers. In particular, it will affect how a business can obtain and record personal data, providing emphasis on individuals having complete consent, and know why and how their data will be used.
In regards to forms, the person must be told exactly what they are opting in to and what they will receive by entering their personal information. A singular checkbox cannot sign the individual up to everything, the checkboxes must be clear and precise in what they can opt-in for. The individual will need to personally tick the consent boxes, they cannot be pre-filled. A business must also declare who they are, what they intend to do with the data and if any third parties will have access to the data. The company taking the data needs to record each individual’s consent, including what they have consented to and when they consented.
Cookies are also included in GDPR. Cookie information must be easily viewable and understandable for the individual. The individual must provide consent to being tracked by the cookies.
What can individuals do with their data?
The individual has the right to modify their personal data, as well as ask to see the data which the company holds of them; this should usually be completed within 30 days of the request. They are also able to request their personal data be permanently deleted, but this does not always apply, the deletion will depend on the context of the request.
What do I do if I breach GDPR rules?
Companies must have the appropriate safeguarding processes in place in order to effectively protect personal data. If a company violates GDPR’s rules, they must notify their country’s supervisory authority within 72 hours of the known data breach. If the breach is not declared before the 72 hour period, the company will face the necessary consequences. If the breach could affect an individual’s safety, e.g. identity theft or confidentiality, the individual must also be informed of the breach.
Now you know what GDPR is, it is time for you to review your current data intakes and database procedures to see if they follow the new GDPR law.
Here is a link to a GDPR checklist to make sure you are GDPR ready!