Are you GDPR-ready? If you have day-to-day responsibility for data, you need to be.
What on earth is GDPR?
GDPR – General Data Protection Regulation – is the new EU legal framework which is replacing the UK Data Protection Act 1998 (DPA). It doesn’t matter that Theresa May is about to pull the trigger on Brexit – it’s coming in regardless.
The two main aims, in a nutshell, are:
- to give individuals control of their personal data.
- to improve international business opportunities by facilitating the free flow of this data.
Full information on what this means can be found on the Information Commissioner’s Office website.
If the DPA applies to you now, GDPR will apply to you when it replaces it from 25 May 2018.
Judging by what we’ve seen so far, many marketers seem to be unaware of this legal shift, or maybe it’s considered to be so far in the future that it’s irrelevant at the moment. It’s not, though – the time to prepare is now.
Why does it matter?
Just like with the current act governing data management, you need to ensure that the controllers and processors responsible for safeguarding and processing your data are acting lawfully.
Oh, and the penalty imposed by the European Parliament for extremely serious breaches? A mere 4% of the organisation’s worldwide turnover (or a cool €20m, whichever is greater).
How do I get up to date?
The ironic bombardment of emails from companies offering linked services like readiness assessments, gap analyses and framework development has already begun.
Firstly, educate yourself – ensure that you’re acting within the law. Review your data collection and definition process and have a data compliance strategy. We’re still seeing websites that don’t inform users that they’re storing cookies, and pre-ticked boxes, years after soft opt-ins were made illegal – this type of consent just won’t cut it. Privacy by design is the way forward here.
Data protection impact assessments have been touted for years – you may have already had one to ensure you were acting within the current law already. They’re not required by law, but if your company is handling swathes of data or is in a position where it’s likely you’ll be legally challenged, it would be worth investing in one and getting ahead of any potential problems. The ICO has a self-assessment tool if you’re not sure.
Consider appointing a Data Protection Officer (DPO). You must do this anyway if you meet one of three requirements: if you are a public authority; carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or carry out large-scale processing of special categories of data. Given that marketers pretty much take tools such as cookies, user monitoring and newsletter signups as a given, data tracking has become almost inextricable from something as basic as having your own website.
Secondly, keep records – you need to be able to provide documentation to prove that you are acting within the law.
If you would like to chat about data procurement (or simply have a question for our team about this article), don’t hesitate to get in touch!
- ICO Data protection self assessment toolkit
- ICO Overview of the General Data Protection Regulation (GDPR)
- ICO Register as a Data Controller
- UK Data Protection Act 1998