Let’s start by breaking it down. The GDPR stands for the General Data Protection Regulation, and is a European regulation set by the European Parliament, the Council of the European Union and the European Commission. Its purpose is to improve data protection for people within the European Union, through strengthening the measures that are in place.
Despite what you may be thinking, Brexit will not affect the UK's adoption of the upcoming General Data Protection Regulation (GDPR). The UK government has announced the Data Protection Bill (DPB), updating the current data protection laws in the country, which is designed to align with the GDPR. This comes into force in May 2018, when the UK will still officially be within the EU. The key thing for businesses to remember is that non compliance is not an option.
The DBP is designed to emulate the GDPR, ensuring UK companies operating within the EU will be able to exchange and handle data across EU borders. This is also beneficial once the UK leaves the EU.
Companies that don't comply risk fines of up to £17m, or 4% of global turnover. Though the ICO has the power to impose said fines, the UK Information Commissioner, Elizabeth Dunham, has stated that this has, unfortunately, been used as scaremongering by many people.
A customer’s right to privacy must be front and centre for all businesses, and new legislation will set out how marketers should collect and govern data in today’s data-driven, digital world.
Businesses should take a fresh approach to customer consent management, using this as an opportunity to better inform and educate consumers about how and why they are using their data. Consumers need to feel emboldened, not anxious. If brands want to prevent consumers from blocking their ads, then they need to do a better job of explaining that the exchange of anonymous data funds the content that customers read and consume. This will position a company as responsible and trustworthy, rebuilding the value exchange.
Evidently, the legislation will accomplish two objectives:
1) to give UK residents more control over their personal data; and
2) to align the UK’s data protection regime with the GDPR
This legislation removes Brexit-related fears that data will ultimately be "turned off", because the UK's data protection law doesn't offer the same level of cover as the GDPR. Once the bill becomes law, UK residents will have new rights, such as the right to access and correct data, and the right to delete it.
Likewise, UK organisations will be obligated to create new processes to honour those new rights, and be expected to have a comprehensive understanding and control over all of their data practices. They will also need to communicate their data policy clearly and simply to consumers, and provide the ability to control their personal data.
What does this mean for my business?
Compliance does not mean a complete technology overhaul. Any business that processes data for a client may be required to demonstrate that they have appropriate data-processing controls in place, and that these processes comply with the GDPR. This doesn’t just apply for small businesses, but it is advisable to think long and hard before handing over any customer data.
Ultimately, businesses need to start making preparations for the introduction of the GDPR – and soon. Some changes will be speedy and procedural, but others may require alterations to infrastructure, which can be both timely and costly.
Rather than ignoring the new legislation, the first step is to conduct a data flow audit, assessing what data you currently have and where it can be found. You should also conduct a gap analysis, to assess any privacy risks associated with your business processes and activities. Only from a place of self-awareness can businesses review processes and practices for seeking, obtaining and maintaining consent. We can also assist you in this step of the process, should you need any advice or consultation.
It is also advisable to involve your marketing and IT teams early, as compliance may simply mean tweaking consent forms or updating databases; for other factors, the shift could be more significant, and therefore more lengthy.
Finally, do not panic - but do act. After all, there is now less than 9 months left until the effects hit, and you want to be ahead of the curve.
If you still feel unsure about GDPR and what it means for you and your business, there are plenty of sites that you can visit for more information. A good place to start is the Information Commissioner’s Office website, which has a useful 12-point guide.