I love writing content about helping companies go through a digital transformation but there does always come a time where something important happens like an important update around a privacy law, I want to make sure you are as informed as possible.
Whilst this new GDPR (General Data Protection Regulation) will not come into effect until May 2018, it is still so important for me to be as up-to-date as possible when it comes to privacy law, and the same goes for any brand because it has been quoted that a fine for breaching the soon-to-be enforced GDPR will force 17% of companies in the UK out of business.
This means that if you are in breach of this new rule from May 2018, you businesses future may be in jeopardy, especially if you are a small business who is looking to grow over the next five years.
There have been hundreds of articles written about this new privacy law, but I want to make it as easy as possible for you to understand, so that you can take the necessary actions to make sure you will not be in breach come mid-2018.
THE HISTORY OF THE GDPR
This new privacy law has been prepared, and debated over the last four years and was approved by the EU Parliament on the 14th of April, 2016. It will be published in the EU Official Journal 20 days before the enforcement date of the 25th May, 2018.
WHAT IS GDPR REPLACING?
The GDPR will be replacing the Data Protection Directive 95/46/EC which was brought into effect to unify data privacy laws in Europe, and to protect EU citizens data and change the way businesses approach data privacy.
OPPORTUNITIES AND CHALLENGES AS A SMALL BUSINESS
Whilst GDPR is a data protection privacy law, it means so much more. As a small business, you will need to make sure that all of your PR, marketing, and engagement with your customers is as honest and transparent moving forward.
The way in which you collect customer data and creating lists to market to will change and it will be a lot harder, and more expensive to promote your business to prospects if you are an SME.
You will likely already have a limited budget to spend on advertising compared to larger companies that do have the budget to increase their ad spend, and use different marketing tactics to engage with their audience.
This however does mean that because larger companies will be spending more on advertising, that the cost of their products will increase, so there are advantages and disadvantages for small businesses.
Now that you know about the GDPR, and what it will be replacing, here are ways in which it will affect you online.
INCREASED TERRITORIAL SCOPE
Previously, this was relatively ambiguous and referred to data process in the context of a business but this change will apply to the use and application of personal data in the EU, regardless of whether the procession takes place in the EU or not.
This means that offering products/services to EU citizens (regardless of whether a payment is required) will still be applied under the new GDPR.
If you are in breach of the GDPR, you can be fined up to 4% of your annual global turnover, or €20 million (depending on what is the greater number). This is the maximum penalty a company will be forced to pay and a serious infringement where this would apply would be not having sufficient customer consent, or violating the core of privacy law by design concepts.
This has now become a lot more strict, and companies cannot use long, hard-to-understand terms and conditions that require a customer to either ignore, or avoid because they do not understand it. Consent to use data must now be visible in a clear and understandable way using simple language whereby an easily accessible form can be used to give consent, as well as withdraw consent.
There are also six new “rules” that I want to talk about that sit under the “data subject rights” baner.
If a data breach is likely to result in the risk of rights and freedoms to individuals, it is mandatory to notify customers within a 72 hour period as soon as this becomes aware.
RIGHT TO ACCESS
Individuals now have the right to ask a business about their personal data, and how this is being used. A business will then have to provide a copy of their personal data, completely free of charge.
RIGHT TO BE FORGOTTEN
Should data no longer be relevant to the reasons why it was collected, or an individual has withdrawn consent for their data to be used, this has to be enforced, meaning that this data will have to be removed from any platform that is using this data.
Similar to the “right to access” rule, an individual has the right to receive personal data that concerns them in a machine readable format.
PRIVACY BY DESIGN
This has been a concept for years, but this is now a legal requirement under the GDPR. This means that this needs to be at the core of data protection, rather than just being an addition. It has been stated that:
‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’.
DATA PROTECTION OFFICERS
As it stands, businesses are required to notify their data processing activities with local DPAs but under the new GDPR, it will not be necessary to do this. Instead, there will be an internal requirement to keep records. If you are a business whose activities consist of processing operations, take part in systematic monitoring of data subjects in a large scale or manage the data relating to criminal convictions/offences, you will need to appoint a DPO.
This DPO must have expertise in data protection laws, be a staff member, or external service provider, be on the radar of a relevant DPA, have appropriate resources to carry out their tasks and not carry out tasks that may be a conflict of interest.
When writing a privacy note, you should consider the following:
- The information that is being collected
- Who is collecting this information
- How it is being collected
- Why it is being collected
- How it will be used
- Who it will be shared with
- How it will affect the individual
For guidance, I have inserted a visual below from the IOC on how this could look.
This is where you will offer an easy-to-understand explanation of your policy, with the option for the individual to then find out more through an on-page link. An example of this is below.
2. “JUST IN TIME”
This is a real-time popup of information when someone enters their details into a signup form.
As you can see below, the email address field has a notice which states how the email is being used, and a link for further information.
Companies such as Microsoft, Age UK, USwitch have already started to adopt some of the above examples to make sure that they are not in breach of the May 2018 introduction of the GDPR.
I hope that all of the above will help you improve the way you inform your customers of how their data is being used, and how it has been collected.