We know that for busy business leaders, the need for easy-to-access, clear information has never been greater. Clayton and Brewill have, therefore, created Board Agenda, a monthly series, which will provide topical updates and insight on a wide range of key business issues.
In our first article, we focus on the forthcoming General Data Protection Regulations.
In 2018 new data protection regulations around how organisations collect and process client and contact data come into effect. Clayton and Brewill provide the key facts on the new General Data Protection Regulation (GDPR), along with some useful tips to help business leaders ensure their organisation is ‘GDPR-ready’
What is the reason for introducing the GDPR?
The GDPR will update and harmonise data protection practices across the EU.
The new regulations take into account the challenges of the 21st century and aim to provide increased protection and transparency for consumers by ensuring organisations handle data correctly and securely.
Who does the GDPR apply to?
The GDPR will apply to all EEA countries and any individual or organisations trading with them. All organisations who collect and store data will be required to comply with the new regulations.
When does the GDPR come into force?
The GDPR comes into force on 25 May 2018. All organisations will be required to comply from this date, so it’s important that organisations are prepared well in advance.
Will Brexit have an impact on the GDPR?
As the GDPR comes into force before the UK leaves the EU, UK organisations will be required to comply.
Post-Brexit The Information Commissioner’s Office (ICO) and the government have confirmed that they expect UK individuals and organisations to adhere to the GDPR, as post-Brexit the UK’s data protection legislation (currently the Data Protection Act 1998 (DPA)) must meet the new GDPR standard.
GDPR – the key facts
- Increased rights for data subjects (individuals) – including the right to be informed, object and be forgotten, as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision-making.
- New obligations for data controllers and data processors regarding how records are maintained and for how long along with specific obligations of both parties.
- Higher standards for consent – data subjects are required to explicitly opt-in to receive marketing communications and evidence must be provided if requested.
- Increased accountability – organisations will be required to evidence how they comply with the regulations and how they have assessed any potential risks e.g. when implementing new technology.
- Reporting of breaches – the GDPR require any breaches to be reported to the ICO within 72 hours of the breach being made.
- Data protection officer – although a data protection officer is not mandatory for all organisations, an appropriate senior individual must be responsible for GDPR compliance.
- Increased fines – the maximum fine will be 4% of annual global turnover.
Tips to get your organisation ‘GDPR-ready’
- Act sooner rather than later – there may be more to do than you realise!
- Appoint a relevant senior individual to be responsible for overseeing GDPR compliance.
- Review your existing data practices and procedures to ensure compliance.
- Review the staff implications – consider employee contracts, training and whether you’ll need extra resources to ensure compliance.
- Ensure you have evidence of consent.
Taking a positive approach to GDPR
Although the GDPR can seem like a bit of a headache – particularly if your organisation has lots to implement to ensure compliance – GDPR can be used to strengthen business relationships. Some specific examples include:
- The need for consent provides an opportunity to speak to clients and contacts about the issues and challenges they are facing, allowing you to gain valuable insights that can be used to effectively tailor your marketing activity.
- Informing clients of how you are ensuring GDPR compliance can help build or reaffirm trust that their data is safe.
- Those who have explicitly opted in to receive communications are likely to be much more engaged with subsequent updates as a result.
- An opportunity to add value to existing client relationships through the sharing of challenges around GDPR – it’s likely that the majority of your clients will be facing similar issues.
GDPR cannot be ignored. It’s important that organisations review, plan and implement the appropriate policies and procedures to ensure that they are fully compliant prior to 25 May 2018.
If you’d like to discuss GDPR or any other issues that are impacting your business, please contact us.
More information on GDPR
This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.