QA | 10 February 2015
The GDPR (General Data Protection Regulation) is set to come into effect on 25th May 2018. Businesses failing new data protection regulations could face huge fines. It may feel a little confusing, so in this blog we answer some important questions about GDPR and what you need to do.
What is GDPR and who does it apply to?
The EU’s General Data Protection Regulation (GDPR) is a regulation to strengthen and unify data protection.
GDPR applies to all companies that process personal data of European Union (EU) citizens.
The requirement is to protect EU citizens fundamental right to have personal data protected. The legislation sets out clear definitions of terms to ensure consistency in application across the EU and provide legal certainty and accountability.
When does GDPR apply?
It applies from 25 May 2018
What if I don't do anything?
If you don’t comply, you could face a fine of up to 20 million Euros or 4% of your global annual turnover (whichever of the two is higher)
What does it mean?
GDPR requires organisations to adhere to the 8 principles of data protection but extends and strengthens them. GDPR requires list owners to seek consent from individuals in easy-to-understand terms, free of legal jargon and marked and highlighted very clearly what the information will be used for. Individuals also have the right to withdraw consent as easily as they give it as well as be ‘forgotten’ which means all data must be removed. Lengthy and complicated terms and conditions which lack clarity will no longer be tolerated.
GDPR also introduces the data minimisation principle, which means organisations cannot hold data for any longer than absolutely necessary. This law also prevents businesses from changing the use of data from what it was originally collected for – unless they request permission.
How do I get consent under GDPR?
Consent will need to be sought from all customers going forward and recorded. An audit trail must be available. From May 2018 only those whose consent can be proven can be mailed without risking penalties. Companies must act now to ensure have all these in place as even contacting to get consent is against the regulation from next year. So if you are unable to get a response between now and then you may well lose that contact.
How broad can the consent forms be?
Not very, the consent forms need to highlight exactly what the individuals’ details are going to be used for and what can be communicated back to them, as well as the method (Phone, email text) the form also cannot be pre-ticked so the individual must actively agree to their data being used.
An important note to add is that consent must also be from the individual rather than an organisation as a whole, unless the organisation can provide full authorisation from its individuals to provide consent on their behalf with full responsibility. It’s just not enough to have a relationship with a company alone!
Is this going to affect the size of databases?
Definitely! Gaining consent in the manner highlighted above is going to drastically reduce database sizes but on the upside should increase the quality of your data as those being contacted in theory have actively agreed to receive your communication. So, although the number of contacts may decrease that an organisation holds, perhaps we can use this as an opportunity to clean our databases allowing for better flow of communication to our clients.
If GDPR affects your organisation, it's time to act fast. Start preparing now, so you don't get caught out.