Have you heard about the GDPR yet?
The first iPhone wasn't launched until 2007, and look how much things have changed since then. The Data Protection Act was introduced in 1998, so it has been due an update for a while. This is where the GDPR looks to make some changes and it is fair to say that businesses are going to have to change too!
WARNING: This subject might sound very boring, but please grab yourself a coffee and read all of our GDPR articles because they contain important information that will benefit your business!
This is the first article in our GDPR series and will give you a brief overview of what it actually is and what you need to be aware of.
The General Data Protection Regulation (GDPR) come into effect in the EU and UK on 25 May 2018. The GDPR will replace the old Data Protection Act of 1998 and bring with it more rights for individuals, new reporting obligations as well as a serious hike in the fines handed out in the event of a breach of regulations. If you currently comply with the Data Protection Act you have a solid starting point in complying with the GDPR, but you will have to build from here. The big changes include:
- Bolstered rights for individuals: individuals will have a say in who processes their personal data (including email addresses), new right to be forgotten (erasure) and the right to have their data transferred to another data controller.
- Data protection by design: when launching new products and services, businesses must demonstrate compliance with the regulations.
- Transparency: if the data subject asks, the organisation must be able to show how their data is processed.
- Notifying the Information Commissioner's Office (ICO) of a breach
- A new fine regime: at the moment fines are limited to £500,000 but they have been dramatically increased where in some cases you could be facing a fine of €20 million or 4% of your global turnover.
In research conducted by Oliver Wyman, had the GDPR been in place over the last 5 years, it is estimated that the companies in the FTSE 100 could have been hit with fines totalling £25 billion! Probably the most well-known cyber-attack and data breach that hit the headlines over the last few years was the one that TalkTalk suffered. TalkTalk received a fine for £400,000 which is one of the largest fines of its kind, but under GDPR that very same situation would have warranted a fine of up to £59 million!
If you look at the new GDPR from a financial perspective, the consequences of non-compliance are drastically worse than non-compliance with the old Data Protection Act. As TalkTalk discovered, your reputation could be damaged and seriously impact the future performance of your business, and that is without taking into account the fines you could face. The GDPR won't stop cyber-attacks and data breaches from happening, and you won't always be given a fine should you suffer one. However, if you don't cooperate with the ICO or show them that you had protective measures in place at the time you suffered the cyber attack or data breach, you will most likely be fined.
One of the most talked about things surrounding the GDPR are the new rules regarding consent. This is whether or not an individual has given their explicit consent to receive communications from you. So for the email campaigns you send to your list of prospects, you need for all of them to have positively opted-in in order to comply with the GDPR. We think this is enough information for now about the GDPR and you may need more coffee if you are to continue reading about it. For information on steps you can take to prepare for the GDPR and guidance on obtaining consent under the GDPR, take a look at our other articles on the subject.