How GDPR Will Affect your Business
In a world where consumers spend an increasing amount of their time online; data is everything. The ability to analyse and act upon relevant data has allowed companies to maximise their targeting capabilities like never before. With the right data, businesses have not only been afforded a way of targeting messages to specific groups, but changing the message to suit an evolving target audience.
‘Big data’ has been an invaluable influence on businesses in recent years. However, the way businesses use the data they have on their clients is about to change.
From SMEs to multinationals, the European Union’s General Data Protection Regulation (GDPR) will drastically alter the way businesses handle the personal data of their clients, customers or users. Coming into force in May 2018, noncompliance could leave businesses facing hefty fines.
In the following article, we explain what GDPR is and why it matters.
What is GDPR?
The data protection principles set out in GDPR are similar to those in the Data Protection Act. However, GDPR crucially highlights a new principle of accountability when it comes to the handling of personal data.
Organisations will not only have to comply with GDPR, but actively display how they comply. Businesses are expected to ‘put into place comprehensive but proportionate governance measures’ to ‘minimise the risk of breaches and uphold the protection of personal data’.
The ICO recommends several ways of demonstrating compliance with GDPR, including:
- Implementing appropriate technical and organisational measure to demonstrate compliance e.g. staff training, internal audits and reviews of internal HR policies
- Maintaining relevant documentation on processing activities
- Appointing a data protection officer where appropriate
- Using data protection impact assessments where appropriate
Along with increased accountability, consent is also highlighted as a key area of GDPR. ‘Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes’, this means that there must be some clear affirmative action – consent cannot be inferred through inactivity, pre-ticked boxes or silence and must be verifiable.
Moving forward, users, customers and clients will take a more active role in deciding how and where the person information they provide is used.
The GDPR strengthens certain existsing rights under the Data Protection Act and add new ones.
The rights provided under GDPR are as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Giving individuals greater transparency over how their personal data will be used, allowing them to access their personal data and block or suppress the processing of that data could have a large impact on that way that certain industries utilize information about their clients, customers or users.
Why Does GDPR Matter?
For businesses already complying with the Data Protection Act, the severity of the fines for non-compliance may seem substantially more shocking than the increased emphasis placed on accountability and consent.
Organisations who fail to comply with GDPR can face fines of up to 4% of their annual turnover or 20 million Euros, whichever is greater. The new fines are expected to hit businesses hard, with forecasts of up to £4.1bn from European financial institutions in the first three years following GDPR’s implementation.
However, the threat of a gargantuan fine does not seem to have been enough to spark action from the wider business community. The BBC reports that just 29% of firms have begun preparing for the change.
As of May 2018, businesses in the UK will be required to show where data is going, what it is being used for, prove that consent was given, keep records of all personal data and display how it is being protected. With accountability at the forefront, none-compliance is not an option business can afford to take.
You can read more about the European Union’s General Data Protection Regulation at the ICO.
For help and advice from a specialist, head to our Data Protection page and post your requirements today.