Four letters are currently raising concerns for many businesses: ‘GDPR’, short for the General Data Protection Regulation.
Although some of the hype surrounding the introduction of the new rules – particularly the introduction of new rules on penalties - has become overblown, the new data protection regime is a significant issue for businesses of all sizes. With the law due to take effect on 25 May 2018, it’s crucial to get to grips with the GDPR as soon as possible.
So, what is the new law, and what are the main issues you may need to consider?
Briefly, the GDPR is an overhaul of the law on how organisations gather, process and use personal data. The GDPR is an EU Regulation. This means it has direct effect in all EU member states from 25 May 2018. Despite Brexit, the government has confirmed that the GDPR will be implemented in the UK.
Three key areas of business operations are most likely to be affected:
- HR, including how information about employees is gathered, stored and used
- Marketing, particularly how consent for communications is obtained
- Business practices around contracts and clients, such as whether your terms and conditions are compliant.
Even if you comply with the current data protection rules, the new rules under the GDPR will almost certainly require you to adapt your practices in all these areas. This is because it’s not just a question of doing things differently for information relating to new employees, clients, or suppliers. The GDPR rules apply to information you already have – that perhaps you gathered years ago, and may not even know you have. That’s why one of the most pressing tasks facing businesses is to audit exactly what data you hold, where it came from, and what you do with it.
Information on employees
The new rules require you to understand what data you have, how and why you use it, and how you hold it. As a start its worth considering the following points:
- what is your lawful basis for holding and using employee data?
- is the data you hold personal data or sensitive personal data? The rules for the latter are more stringent than under the existing rules.
- is there data you should delete or manage more actively?
- what training do you need to provide staff?
Consent for marketing and communications
Some of the steps you need to take here are similar to HR as the GDPR will affect how you record and process information about clients, contacts and prospects, how you keep it secure, and how you contact them for marketing purposes.
One major change is to the way organisations obtain consent to gather and use individuals’ personal data. Consent has to be freely given, specific, informed, properly documented and easy to withdraw.
For example, if someone offers you their details and consent to one type of email communication – say, an e-receipt or details about an event – this does not give you free rein to send them other communications.
Secondly, it will no longer be acceptable to use pre-ticked consent boxes on websites or apps – the presumption will be that consumers will have to ‘opt-in’ rather than ‘opt-out’. Businesses should take advice on whether they need to reach out to all their existing contacts to seek new consents.
Other communications issues arising from the GDPR include:
- what do you need to tell clients and contacts about your lawful basis for holding their personal data?
- are you providing adequate ‘privacy notices’?
- if you outsource marketing campaigns or database management to a data processor, what must you do to comply with the GDPR?
General issues
Back-office processes may need to be reviewed and changed to comply with the GDPR. This will need to be carefully planned to avoid a drain on administrative resources. Specific issues include:
- handling ‘subject access requests’ (requests from individuals to see a copy of the information you hold on them, or to learn what you do with it) within the required timescales
- dealing with the new ‘right to be forgotten’
- complying with the new duties to report data breaches, including processes for detecting, reporting and investigating them.
Clearly, there is a need to put a plan in place and preparation should start as soon as possible. The best steps will depend on the size and nature of your business, and the state of your current practices. Advice will always need to be tailored, and it must be pragmatic too – based on understanding the specific pressures facing your operation; the reputational issues as well as the legal ones; and the resources you have available.
Appropriate advice can reduce your concerns regarding GDPR over the next few months and help to put in place a viable and sustainable plan! Feel free to contact us and we will be happy to help.