Ensuring your organisation meets the requirements of the new General Data Protection Regulations – GDPR.
You may be forgiven for thinking that Brexit would have marked the end of EU regulations in the UK, there may have even been a collective sigh of relief from some quarters. However, the end of our relationship with Europe does mean that every single piece of legislation will become entirely UK centric. The new General Data Protection
Regulation (GDPR) represents the culmination of four years work across the EU and the UK government have agreed to employ the updated legislation within the UK in order that the data protection rules are standardised across the EU in support of a borderless internet environment.
The General Data Protection Regulations replace the UK 1998 Data Protection Act and introduces a series of new requirements as well as considerably tougher fines for breaches and non-compliance. The clock is ticking as the new regulations come into place on the 25th May 2018, however, despite the tight time scale there are a number of
organisations who are unprepared. A recent survey by Imperva showed that less than half of IT managers surveyed (43%) are prepared for the upcoming changes and almost a third (28%) were unaware of any preparation for the change in law.
However, ignorance will not be a valid defence, especially as the GDPR lays the legal responsibility for data protection at board level.
Both controllers of data, those organisations who state how and why personal data is processed and processors, the organisations who act on the controllers’ behalf, for example an eCommerce provider who is managing data processing, have clear responsibilities under the new regulations.
The GDPR introduces a more detailed definition of personal data which encompasses new elements which were previously not specifically noted under the data protection act. These include online identifiers including IP addresses and sensitive data like biometric and genetic data.
Overall the data protection principles are roughly similar to previous data protection act requirements, however there is a new accountability which means you need to demonstrate how you are complying with the principles. This will require detailed documentation for all data processing activities to allow you to demonstrate you are
following principles of lawful processing.
One of the areas which caused confusion in the past was consent from individuals to allow their data to be processed. In the new regulations consent must be given, informed and be an unambiguous indication of the individuals wishes. This must be verifiable. There is a new requirement that personal data being collected for children, defined as individuals under 16 years old, must have associated privacy warnings written in such a way that children will understand. Additionally, children may not give consent to use their own data and this must be given by someone holding ‘parental responsibility’. Therefore, when you are using forms to capture data you must ensure
they are both correct for the audience and that the meet the consent requirements to ensure your data handling remains legal.
It is clear, you need to ensure that consent is an active, affirmative action by the data subject. Pre-ticked boxes or opt-outs will no longer be acceptable. In addition, data controllers will be required to keep a record of how and when consent was given by the individual, and that individual may withdraw their consent whenever they want which
must be enacted. Your organisation will be required to ensure that you meet these requirements or cease collecting data when the GDPR comes into place.
The new regulations also give the regulator the opportunities to apply higher penalties to organisations which are in breach of the GDPR. In the first instance you are required to notify the data protection authority of any breach which exposes personal data within 72 hours. Failing to meet this deadline could leave the organisation exposed to a
penalty of up to 2% of their worldwide revenue or €10 million, whichever is higher.
Failure to follow the GDPR principles there is a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater, a massive risk if you do not carry out the required changes before the deadline in May. These are considerably higher fines than have previously been possible for the regulator and show the importance being
placed upon the security and fair management of personal data.
It is vital to take immediate steps to ensure your storage and processing of personal data meets the new requirements. In particularly you should check the scope and type of data stored by web and ecommerce systems to ensure that data which was previously not covered by the regulations like IP addresses are being processed
correctly. In addition, ensure that all forms used to capture personal data meet the requirements for affirmative consent.
As you will now be aware, your responsibilities will cover those of data processors you should ensure that third parties and contractors are also meeting the relevant requirements and that you have correctly documented all aspects of the data processing activities.
The simple way forward is to use a trusted partner for data management such as MM Group. Their professional team can advise on all aspects of data protection and provide the assurances and documentation for data they supply showing it is accurate and processed in line with the latest regulations.
With over 15 years experience in online marketing, MM Group are the leading provider of highly performing lead data for a variety of verticals. Using a highly targeted technique they ensure that potential leads provide their own data and actively request a contact from your organisation, not only yielding some of the highest closure rates in the industry but also a guarantee that the data has been gathered legally.
Contact MM Group today for fully compliant and opt-in lead generation!