The Definitive Guide To All Things GDPR

In the world of digital data collection and interpretation has become a fundamental part of running an online business. Capturing data, storing data, segmenting data, interpreting data and then putting plans into action is how we refine firms to improve performance and ultimately generate more leads or promote sales. Data has become a strategic advantage for many businesses and selling off or renting data has become a very profitable exercise.

This has, in turn, encouraged businesses to misuse data or obtain data without users consent. An issue highlighted by the Facebook/Cambridge Analitica scandal earlier this year. In a bid to put a stop to data malpractice the GDPR was drafted.

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) was introduced to unify all EU member states' approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it's shared.

Why was the GDPR drafted?

The GDPR was created to regulate how businesses use data, ensuring it's the same across the entire EU. It will apply to smaller businesses as well as large corporations The Data Protection Act 1998, the UK's interpretation of the EU's Data Protection Directive 1995, wasn't envisaged with contemporary uses of data enabled by the internet and cloud, with people exchanging their personal data for use of 'free' services provided by the likes of Google, Twitter and Facebook, and GDPR aims to rectify this.

The second driver is the EU's desire to give organisations more clarity over the legal environment that dictates how they can behave. By making data protection law identical throughout member states, the EU believes this will collectively save companies €2.3 billion annually. It should make complying less onerous for businesses, with them only required to meet one set of rules, compared to dozens of different implementations of the EU's Data Protection Directive 1995.

Why the need for GDPR?

GDPR is a good thing for ‘individuals’ as consumers, but as businesses who ran a legitimate program, it will be a bit of a pain. Consumers, however, deserve respect and consideration that proper data privacy represents. As individuals we will have a great deal more choice about what data companies keep about us, how and where they keep it, for how long, and what they do with it.

Who is affected by GDPR?

The regulation must be followed by every organisation that processes personal data of European Union citizens. The GDPR considers ‘processing’ as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The GDPR considers ‘personal data’ as any information that could be used, on its own or in conjunction with other data, to identify an individual. 

This effectively means any business to be it inside the EU or outside the EU collecting data and using it for business purposes needs to be GDPR compliant. If you are a more significant business and collect large sums of data, it can be tricky, but for a smaller company, I recommend the following be done:

• Communicate to all your EU based clients asking them to opt-in for communication once again and specify what comms they would like from you
• Update your email communication sign up forms to have communication type specific oft in fields
• Update your site to request users agree to your cookie policy when they land on your site
• Update your sites privacy policy to reflect its GDPR compliant

When does GDPR go into effect?

The GDPR is due to come into force on 25 May 2018 - and even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents' data, effectively replacing the Data Protection Act 1998.

How to comply with GDPR?

The more complex your system is, the more you might have to do to make sure it supports every aspect of business-wide compliance. Your first step is to start thinking about GDPR now, to give your company the time needed to get ready. Unless you are 100% confident you can handle it in-house, your second step is to find someone you can trust to give your IT an overhaul.

What happens if I do not comply with GPPR?

Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company's global annual turnover, though the most stringent fines will be reserved for the worst data breaches or data abuse. The authorities can also:

• Issue warnings
• Carry out audits
• Demand that you fix things within a strict deadline
• Demand you erase data
• Stop data transfers to other countries
• Apply these powers to data controllers and processors and data processors

Do you need a data protection officer?

Due to the quick turn around times and the enormity of the punishments for ignoring GDPR, many companies have now hired DPO's (Data protection offers) or external DPO's to facilitate the review and consent process and make sure all communication and use of data is to GDPR standards. If you are a large corporate or multinational a DPO is definitely the way to go.

NO need to panic just yet

While GDPR does cover businesses of all sizes residing in or communicating with consumers in the EU, it won't be coming down hard on every offender. 

Instead, the focus would be on big companies - particularly those in the technology sector - that "deliberately, persistently or negligently misuse data. So if you're startup and tried to get concent, but miss the cut-off dates, and your customers aren't unsubscribing or complaining I would say you're pretty safe at this point.

Contact us

If you want to know more about GDPR compliance, don’t be shy we’re happy to assist. Simply contact us here

Tags: data protection, How to, Tools