What is GDPR?
The GDPR is the new General Data Protection Regulation. It comes into law on 25th May 2018, affects everyone in the EU, and isn’t changed by Brexit. It’s designed to:
- Strengthen individuals’ rights over their personal data
- Drive better cyber security
- Enhance supervision
- Increase sanctions for personal data misuse
If you run a business of any kind, anywhere in the world, and you deal with EU citizens’ personal data, you can be certain the new rules apply to you.
How does GDPR affect your business?
Almost every business uses IT systems, and most businesses collect, keep and use personal data from prospects, customers or both. GDPR compliance applies to every business. That’s you unless you don’t keep paper or electronic files, don’t employ anyone, don’t operate online, and have never made a sale. It’s reasonable to assume that your business is affected by GDPR. The new rules mean you have to abide by strict protocols for:
- Collecting personal data, both B2C and B2B
- Storing personal data
- Using personal data
It makes good business sense to find out exactly how the GDPR will affect you in good time, rather than delay things until it becomes law.
What happens if you don’t comply with GDPR?
Non-compliance can mean being fined by the authorities or sued by individual consumers. The financial penalties for non-compliance are bigger than for the old Data Protection Act. There’s an upper limit of €20 million or 4% of your annual global turnover, whichever is highest. The authorities can also:
- Give official warnings
- Demand audits
- Request things are fixed by a strict deadline
- Force you to destroy illegal data
- Stop you communicating with your databases
- Stop data transfers to other countries
There’s more. Non-compliance also means you don’t have a clean, warm database of customers and prospects to communicate with, which puts you at a significant marketing disadvantage.
How do you become compliant?
It’s important to make sure your IT systems comply with the new regulations around personal data. How do you do that?
- Your first step is to investigate and analyse your existing IT systems to see how compliant they are, if at all. You can do it yourself or seek external support from IT experts
- Your second step is to fix any issues if that’s possible. You may find you have to start again from the bottom up, it all depends on how well your existing systems support the new regulations
In a nutshell, your system has to let consumers:
- Access their personal data easily and fast
- Have any mistakes corrected
- Ask for their details to be removed under the ‘right to be forgotten’, Stop getting direct marketing offers
- Stop automated decision-making and profiling
- and let people transfer their data from one controller to another with ease.
Can you be 100% sure you’re compliant?
GDPR compliance means you have to abide by the new law by making sure your IT systems are compliant and keep them that way. The idea is to make the rules a natural way of doing business, not a hurdle to overcome or an added extra.
Because most companies use IT to transact business and market to their customers and prospects, your IT systems need to support end-to-end GDPR compliance. If you don’t have the internal expertise or are not 100% confident in your decisions, an external IT partner is a must.
How do we stay compliant into the future?
Time passes, systems change, new media come on board… which means every time you make a change to your IT system, you have to consider ongoing compliance. If you change your systems completely, or bolt on a new element, or take an old one away, you need to consider GDPR.
Every new staff member needs to be trained in their GDPR responsibilities, and existing staff might need ongoing GDPR training to keep them on the button. It helps to have a proven professional IT partner who’s also GDPR-savvy.