Consent is King: 6 things you need to know about GDPR
It’s less than a year to go until the EU General Data Protection Regulation (GDPR) is enforced – 25th May 2018 to be exact. Everyone is talking about it – it is a regulation that is going to impact most organisations, particularly those in the marketing and cybersecurity space. However, around 84% of smaller UK businesses still haven’t heard of GDPR. And time is most definitely running out to prepare.
The GDPR replaces a 1995 EU Directive which outlines key principles to bear in mind when using data. However, each EU member can choose how to implement a directive, while a regulation is directly applicable.
We’ve done some research of our own and broken it down into the six key things that we think you really should know about the GDPR.
1. The penalties are significant
Any organisation in breach of the GDPR can be fined up to 4% of global annual turnover or €20 million (whichever is greater), for certain breaches of the GDPR. Failure to comply with the GDPR could put your organisation in the line of fire, with many SMEs risking company failure. It is worth noting that there is a tiered approach to fines – for example, a company can be fined up to 2% of global annual turnover for not having their records in order or not appropriately notifying their customers about a breach, among other things. Put it this way – Yahoo! would have been in serious trouble if the GDPR had been in place a year earlier after not one, but two data breaches came to light.
2. Consent is King
This is pretty big, particularly if your business engages in any email marketing. Companies will no longer be able to use terms and conditions that are unclear and full of legalese – the request for consent for use of personal data must be given in an easily accessible form. It has to be as easy for people to withdraw their consent as it is to give it. And, for consent to be valid, the consent process must include an affirmative action of some kind (i.e. double-opt in, checking a clear (not pre-checked) consent box).
3. Brexit is irrelevant
We’re leaving the EU so it doesn’t matter, right? Wrong. The new GDPR has ‘extra-territorial applicability.’ It applies to any organisation that handles the personal data of European citizens, regardless of whether it is headquartered out of the UK, France, the US or elsewhere. Any non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
4. Data breaches have to be reported
Data breach after data breach seems to have hit the headlines over the past 12 months and GDPR hopes to play a role in preventing another pandemic. Organisations must notify the data protection regulation agency within 72 hours of first becoming aware of the breach. Customers must also be notified without delay in situations where there is high risk to the rights of individuals.
5. Data subject rights
Data subjects (i.e. your customers) have several rights under the new regulation. They have the right to obtain from the organisation as to whether or not personal data concerning them is being processed and for what purpose. They also have the right to be forgotten if they decide that they do not wish their data to be used anymore.
6. Data minimisation
The regulation states that businesses should only hold and process the data absolutely necessary for the completion of the activities for which that data was collected – data minimisation. Any access to personal data should be limited to those needing to act out the processing.
Time is ticking!
I said it before, and I’ll say it again – time is running out. If the regulation is to be enforced as strongly as it states, businesses really do need to be thinking about how they are using data and be clear about compliance. This regulation affects business of any size, and as we are no expert we advise you seek advice if you want more information or are unsure about any aspect of GDPR.
D2 Legal Technology LLP, an independent firm specialising in legal data management, systems and processes consulting services, works with organisations of all sizes to unlock business value through legal change. D2LT has a dedicated GDPR practice, helping organisations understand their obligations under the GDPR and align their technical and organisational processes.