GDPR need-to-knows: It’s ​an evolution, not a revolution

It’s not long until implementation comes into force so we’ve put together the GDPR need-to-knows to make sure you and your business are ready. If you haven’t started preparing, it’s not too late, you still have time if you make a plan, action it and incorporate data protection as a fundamental part of your business strategy. 

With this said, there’s no reason to get overwhelmed by the rules and regulations. Instead, consider too the many benefits that can come along with compliance, for you and your customers.

In a nutshell

To recap, the growing digital economy is impacting how businesses operate. There are also increasing concerns about current data protection laws, rights and privacy for both consumers and companies. As a result, the latest GDPR changes are set to lay the foundations for the long-term future of data handling in the UK. GDPR, or The General Data Protection Regulation (GDPR), is the new data protection bill, which will come into force in the UK on 25th May 2018.

Below in bullet point format, is the 12-step plan recommended by the Information Commissioner’s Office (ICO), an independent authority established to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. The plan aims to inform businesses about the changes under the new regulation and best practices to meet compliance standards.

  1. Inform main decision makers
  2. Assess all information
  3. Privacy information
  4. Individuals’ rights
  5. Subject access requests
  6. Lawful basis for processing personal data
  7. Consent
  8. Children
  9. Handling data breaches  
  10. Ensuring data protection privacy
  11. Assigning a data protection officer
  12. International

How to take action

A significant amount of the rules have been around a while, or in some cases are very similar, with an overlap of the old stipulations. However, don’t be fooled. Check and double check to be sure you are 100% within the guidelines.

If you haven’t yet made final plans for GDPR compliance make sure you map them against your business operating model to ensure the ability to identify any gaps that could leave your business open to risk. Look again at the how to prepare for GDPR using ICO’s 12 step plan. 

Do you currently have processes and procedures in place that reflect each of these 12 steps? And if not, systematically look at what do you need to do and which of the 12 are likely to take longer to complete to ensure you are ready.  For comprehensive notes and guidelines visit the official ICO website.

For example, possibly one of the most straightforward steps is to rework your company’s privacy policy. Why? Because it is a publicly-viewable document and therefore impacts user’s privacy, which GDPR emphasises the importance of, along with data security. A key area will be your website. So get your reworked privacy policy up there as soon as possible.

Take full advantage of GDPR changes

Regarding your relationship with your customers, take full advantage of the necessary changes enforced by GDPR. Don’t let the endpoint be just ensuring they are ticking the compliance box. Consider the rewards of your hard work in obtaining compliance to be the opportunity to re-establish relationships with your customers. Pre-empt any concerns they may have about data sharing, security and control.

Use it as a positive marketing tool. GDPR is not telling us that we cannot contact our customers for marketing, ever. It’s telling us we should communicate with our customers; making sure they know what data we hold on them, why we hold it and checking it’s correct. And what is marketing if not communicating with customers.

By re-establishing communication with any contacts that may have been overlooked or lost over the years the opportunity arises to update any contacts that are no longer relevant. Therefore future marketing will be more relevant and targeted.

Getting by or evolving?

Another positive side effect of GDPR is that you will see from your preparation and planning whether you are evolving and maturing as a company or just ‘getting by’ in terms of the datification of your business.

The ICO  plans to create a “regulatory sandbox” meaning companies can test their products and services against the regulatory requirements. This will allow them to build adequate data protection measures before their launch. The scheme will run until 2021 and support the four-year Information Rights Strategic Plan announced in 2017. Such initiatives further increase consumer trust, which as we’ve stated, is what GDPR is essentially all about, and allow your business to evolve in terms of datification, not tread water.

What are the fines?

As a gentle reminder, there will be fines for non-compliance. And significantly tougher than the DPA. Organisations in breach of GDPR are liable to pay up to 4% of annual global turnover or €20 million – whichever sum is greater. As a result, these fines can be given for failing to show compliance. Therefore, these can be issued even when something has not necessarily gone wrong.

Don’t panic!

In the official GDPR document, Information Commissioner Elizabeth Denham said: “Staying relevant in the context of ever-changing technology must become a core component of the ICO’s strategic goals, otherwise the ICO will fail to deliver the regulatory outcomes the public expect.”

The EU’s GDPR website states the legislation aims to “harmonise” data privacy laws. Therefore, it may be best to interpret as short-term pain for long-term positive, accurate and protective gain.

Essentially, don’t panic. GDPR is an evolution, not a revolution. GDPR compliance is not meant to catch you out, it’s a safeguard for both you as a business and for consumers.