You’ve heard of the GDPR. I’m not even going to open with a ‘Chances are you’ve heard of the GDPR’ — because, you have most definitely, unequivocally, irrefutably heard of the GDPR. But it’s perfectly fine to not know what it means, at least at this stage anyway. And here’s a fun fact: most of the people who drop it into conversation with a knowing smile probably don’t know why it’s so important either. So here’s the first part of our crash course into the upcoming changes.
When we talk about the GDPR, we’re referencing the ‘General Data Protection Regulation’; a new set of data protection rules that have been implemented by the European Union. The GDPR was officially adopted back in April 2016, but it’s going to be legally enforceable on the 25th of May, 2018 - this means that any business that is found to be not compliant will face a fine. The highest possible fine is either €20m or 4% of the company’s annual global turnover — whichever is highest. Sounds scary, right?
So what do you have to do? The short answer is ‘probably a lot more than you’re doing right now’. The data protection laws we have at the moment have been found to be completely archaic, and anyone who has had repeated calls about an ‘accident’ that they’ve had will be able to testify that things are in desperate need of an overhaul. For a start, organisations need to make sure that any data that they have is being kept securely and then disposed of securely when it’s no longer needed, for example, by using a cross-cut shredder.
In relation to the above, you’ll also have to make sure that any businesses you work with are also following all of these processes, because you can still be fined for handing the data over to a non-compliant mailing house, agency, or shredding company.
As part of the GDPR, you’ll now need explicit consent from individuals to have their data for processing. In practice, this means that individuals will now need to opt in to receive communications from you, and not ticking a box to ‘opt out’ is no longer a legitimate reason for people to be getting contacted.
Those who have been following the interesting ‘right to be forgotten’ stories over the years will also find that this too has been implemented in the GDPR. As a result, a customer can request for all of their personal information to be deleted. In a similar vein, they can also object to being profiled, for example as part of a marketing campaign. It’s worth pointing out that there are some exceptions to this, but you’re better off heading to your nearest legal professional for further advice on the finer details.
Another key element of the GDPR is that Subject Access Requests (SARs) can’t be charged for. This is the process wherein customers are able to request what data an organisation holds on them. This alone is going to cause headaches for organisations that aren’t prepared for them, so it could be wise to skill up current staff or recruit new heads to make sure you’re prepared for the change.
The GDPR can be a scary prospect, but there’s lots that can be done to prepare for the upcoming changes. Look out for part two of this series where we’ll be covering some of the other rules, as well as taking a comprehensive look into what you can do to be fully ready by the 25th of May.
To see how Fellowes can help you with GDPR click here