We may have voted to leave the EU, but make no mistake, the new EU General Data Protection Regulation (GDPR) is coming to the UK on 25th May 2018 and businesses need to start making changes now.
The main issues businesses will have to consider with the implementation of GDPR is the processing of personal data of European Union (EU) citizens. With the emphasis on personal.
What key areas do businesses need to focus on when GDPR comes into force?
permission to market – email acceptance, sign-up or opt-in; voice recording where data is recorded and verified stating you have permission to contact.
data audit trail – where has the data come from and where and when was it passed on?
management of data sources
security – the movement, transfer and storage of data
Personal email contacts within a business, for example, “email@example.com” will have to have personal permission from “A Smith” to contact them and you can only contact them within that organisation. If the email contact is an “firstname.lastname@example.org” then you don’t need an individual to give permission – because there is no personal information in that email address. Always having an emphasis on personal.
Anyone who you are buying data from (a data source) will have to store these permissions for a reasonable timeframe to allow data auditing to be carried out for at least 12 months. Most data sources are now holding this information for 2 years so any complaints or breaches can be tracked back and verified.
Businesses will have to be clear and transparent when it comes to collecting data, and for what purpose the information will be held and how they will use the information. Third party marketing will have to be specified and opted-in, as will contact through direct mail, telephone and email. At the moment, most businesses might not be this specific so these guidelines will need to be implemented across existing terms and conditions and sign-up pages. Silence or inactivity will no longer constitute as consent.
Additionally, any telephone scripts will need to be updated to reflect future requirements and usually, a recording of this conversation with permission will be held to help prove permission was granted.
The GDPR will also ensure organisations have to constantly monitor for breaches of personal data. Businesses will have to notify the local data protection authority of a data breach within 72 hours of the breach. Would your business have the technologies and processes in place to be able to detect and respond this quickly?
GDPR will ultimately protect us all from unscrupulous organisations that don’t value personal data. But taking small steps now to start implementing these guidelines will make the transition a lot easier.