It’s impossible to ignore the impending deadline for compliance with the General Data Protection Regulation (GDPR), but many businesses we’ve spoken to are still yet to act to ensure they are ready for when the new regulation becomes law on the 25th May 2018.
We’ve had a number of queries about how we’re preparing, so we’re sharing information about the process we’re undertaking, and providing some useful links for you to review the impact on your business.
Unless you’ve been living under a rock for the last year or so, you should by now know that GDPR is going to affect every business trading with or within the EU member states, including those trading in the UK, even post Brexit. In the UK, a new Data Protection Bill (DPB) has been introduced to Parliament which aims to implement the GDPR into law after Brexit. This will be enforced by the Information Commissioner’s Office (ICO) and will largely echo the provisions of the GDPR. In case there is still any confusion around the matter, Brexit doesn’t mean that UK companies can avoid the GDPR!
According to reports, the DPB will include everything the GDPR covers, though with some exemptions; notably this means added protection for journalists, historical researchers, scientific researchers and anti-doping agencies. The Bill should be passed before the GDPR deadline, so keep an eye out for more information on how this may affect your business.
The implications of the GDPR are far reaching, and there is lots of advice available for businesses that hold or handle data. We are not qualified to recommend the course of action your business needs to take, but we have done our research to ensure compliance, and as such we wanted to share some insights and useful links to aid your own research.
What we can tell you is the much-documented fact that non-compliance with GDPR risks hefty fines, and businesses not taking this seriously will soon find themselves in the spotlight as the general public are much more versed in their data protection rights as press coverage of GDPR gains pace. It is worth noting at this point that the ICO has declared that it would prefer to work with organisations to bring their practices up to date rather than use a substantial fine as a knee jerk reaction. Therefore, showing an awareness of, and effort to implement GDPR requirements is likely to produce a more productive reaction from the ICO.
So, the message you can take from this is that it’s never too late, even if you don’t think GDPR affects you, you should act now, because the simple fact is that it does!
How we’re preparing
As Direct Marketing Association (DMA) members, we take data protection compliance very seriously, and so GDPR has been on our agenda for some time. We have attended workshops and training courses provided by the BPIF and DMA, and have joined several webinars to assess what GDPR means for the data we hold and manage within our business, and how this impacts clients.
The main message that has come out of the research we’ve done is the emphasis on consent to hold and use data, as well as the processes and technology required to adequately manage all data storage and processing within the GDPR.
‘Consent’ has various facets, and the level at which consent is required depends on your business, and how and why you need to hold data. What is clear is that the control is in the hands of the customer or individual more than ever before. There can be no ‘implied’ consent in the way we collect and manage data, and we need to be able to demonstrate how we’ve gained consent to retain the data we hold, for how long we retain it, and in what ways we manage security and removal of personal information. This DMA article tells you more: https://dma.org.uk/article/dma-insight-the-legal-base-for-consent ; and the basics to bear in mind dictate that consent must be "freely given, unambiguous, specific and informed". Silence, pre-ticked boxes or inactivity cannot now constitute consent. Gaining consent will require documentation separated from other terms and conditions, and it will also be a requirement that the withdrawal of consent is an easy and clear process.
To ensure that your data has the correct consents it may well be necessary to conduct a full data audit, and to also assess the information provided at every touch point in which you collect or request information from an individual.
Data audit and security
The advice available on GDPR clearly states that all personal data held should be properly documented, including where it came from and who it is shared with. We will all be required to be able to provide evidence of data processing activities, which in itself will help to demonstrate that we’re aware of and complying with the new data protection principles.
At Infigo Software, the first steps we took were to audit the data we hold and undertake an initial stage of activity to check and confirm consent to use it.
In addition to an internal client and prospect data review, we are also working with our hosting companies and third-party vendors to identify their role in data management for us and our clients’ businesses, and to gather confirmation of their compliance with GDPR. This process is ongoing, and we are currently compiling information to share with our clients.
We’re also working on additional features within our Catfish platform to ensure opt in actions meet the latest requirements, and to make it simple for clients to facilitate data requests.
As we complete the processes required to ensure we are fully compliant in advance of the 25th May deadline, we will be sharing more information with our clients and providing details on our website to reassure customers.
Our advice at this stage is to make sure that you research the impact for your business now so that you can implement any necessary changes well in advance of the GDPR deadline. If you haven’t already started this process, we have found the DMA guidance invaluable, so suggest you start here: https://dma.org.uk/gdpr