It’s happening – the UK’s 20-year strong data protection laws are undergoing a renovation to bring them up to speed with a rapidly evolving digital landscape.
With this massive overhaul comes a sense of nervousness amongst many brands and professionals. And the important date to mark with a massive red circle in your diary is May 25th, 2018 which will be when the new General Data Protection Regulation is rolled out across Europe.
The impetus behind the changes is the fact that digital infrastructure has transformed so much since the 1990s when current data protection laws were written – in theory; the GDPR creates regulations that are fit for modern-use.
With GDRP looming over all industries, there will be a series of new obligations that put the onus on you and your company to enforce.
While a lot of data protection principles will remain largely the same – we’ll look at what’s changing, take you through what to look out for, how to educate yourself and make your business GDPR-ready.
As well as our guide, we recommend reading through the full text of GDPR to familiarise yourself with the 99 articles, setting out the responsibilities of companies and new consumer protections.
It’s a pretty long read but this will give you full detail and comprehensive info – we’ll take you through some of the bigger changes below:
What on earth is GDPR?
GDPR is basically a massive exercise in compliance and adherence. Elizabeth Denham, the UK’s Information Commissioner calls the new law an ‘evolution’ instead of a revolution – running with the idea that this is an extension and update of data protection regulation, created in 1995 by the EU and adopted by member states.
Each EU country also has its own national laws – in the UK this is the Data Protection Act, rolled out in 1998.
The way that companies and marketers collect data, store data and use data has changed immeasurably, so the new EU-wide directive is looking to give individuals and users more rights when it comes to their data privacy and create a more transparent framework.
Pretty much every type of industry and company that handles personal information (schools, charities, brands) will be affected by GDPR, which is why there’s been such a large-scale reaction and sense of anxiety around the changes.
You can take a look at what qualifies as ‘personal data’ here, under GDPR it’s info that can readily be used to identify someone.
Any company that controls or processes data will be affected by GDPR.
And GDPR has been a long time coming, after almost 4 years of negotiations between EU bodies, GDPR was announced in May 2016, which has given a 2 year preparation period for companies to update their processes in time for the rollout in May 2018.
In the UK, GDPR will be regulated and enforced by The Information Commissioner’s Office, who will have a new fining system at their disposal that they can use to ensure companies are adhering to rules and individuals’ rights are protected.
Brexit has obviously changed things a *little* bit, so GDPR will come under a new act created by the British government, called the Data Protection Bill.
It’s largely the same as the EU’s GDPR model, but with small differences. The bill needs to pass through the House of Commons and the House of Lords though before it’s enshrined in law.
What’s different about GDPR compared to current data protection laws?
As we mentioned earlier, Elizabeth Denham, the UK’s Information Commissioner insists that GDPR isn’t in place to trip companies up, but it’s an extension of current laws and regulations.
GDPR aims to catch up regulations with rapid digital change.
Let’s take a quick look at some of the key new aspects included in GDPR that you need to look out for:
What your Company can do
GDPR raises the game for companies when it comes to accountability and transparency.
When you look at the amount and frequency of large-scale data breaches in the last few years, it’s pretty alarming and clear there needs to be changes.
Especially if companies are concealing breaches – for example, in 2016 Uber was hacked and millions of customer and employee details were compromised.
However, they hid this from customers and employees and it was only revealed a year later.
Under GDPR, there are much clearer guidelines for companies when their data is breached and more stringent repercussions if they fail to comply.
GDPR arguably brings back more power to the people. Whereas at the moment people and public bodies can submit a Subject Access Request, which charges £10 to access their data, under GDPR this fee is scrapped.
Even if your company isn’t huge, get clued up on your data processing and how your company does this.
Make sure you have the correct documentation that can be shown to authorities if you need to.
If you’re not really sure where to start then commission impact assessments or enlist the help of an experience data protection contractor.
We recommend assigning a Data Protection Officer. This doesn’t have to be from outside your company, you can give someone on your team this role.
Make sure that they have the skills and correct training to carry this out though.
They must be familiar with data processes and what happens if there’s a breach – your data protection officer will be responsible for reporting breaches and handling requests from customers.
They must have the correct documentation at all times, create a system that tracks and records your data usage and collection so they won’t come unstuck.
Start putting data protection policies in place. If you don’t already take data protection seriously enough – start using best practices.
This is your chance to professionalise your approach to data protection.
Change your business mindset in terms of data – be more transparent and open to giving users more knowledge and control over their data. So, you can create positive opt-ins and clearly ask for user’s consent before using data.
Be prepared for customers that may request the information your business has collected about them.
Your business will need to provide information within a month. Ensure you have processes in place to protect individual rights, so create documents giving detail about how you’d go about deleting data or providing data to users i.e the format.
Make your Website GDPR-ready
Before you do anything, ask your data protection officer or contractor to carry out a data audit.
This is where you can identify gaps in your knowledge and processes and replace third-party apps that aren’t preparing to be compliant with GDPR.
A data protection officer will also scrutinize the links and ways that your website has collected data in the past. They’ll look at who has access to your data, who you share it with, where your data comes from and how you manage it.
Make sure there is info on your website about HOW and WHY you collect user data and you must ask for consent to add users to your mailing lists etc. when you get a query through your website.
Think of this as building a ‘consent experience’ for your users.
GDPR focuses on the idea of Pseudonymized data and believes that “Pseudonymization is a central feature of “data protection by design.”
This basically means creating secondary processes whereby ID from one data set needs to be matched with data from a second set to make sense. So it separates data from identifiers that make it possible to link data to an individual.
This means that if one data set is breached then hackers can’t find out who users are without both data sets.
One data set is effectively useless without the other.
Work on transforming your data in ways that make it more difficult to access and improve data anonymization.
In fact, GDPR incentivises data controllers if they transform data in this way – GDPR relaxes requirements on companies that use this technique i.e “Controllers do not need to provide data subjects with access, rectification, erasure or data portability if they can no longer identify a data subject.”
The maximum non-compliance fines for GDPR are 20,000,000 euros or up to 4% of annual turnover, so in theory, companies outside the EU will be very keen to get it right!
Questions that remain…
There are lots of insightful, educational resources to take a look at and get to grips with GDPR.
The Information Commissioner’s Office has come up with their own guide and aspects of GDPR you should be aware of. We really recommend reading it through thoroughly.
A few issues that are still a little unclear are:
But overall – if you’re a company that’s complying with existing data protection laws already, GDPR shouldn’t be too disorientating for most industries.
It’s a wake-up call for everyone to examine their data collection/usage processes and update their policies.
In short, GDPR will give more protection to consumers and give more rights to individuals over their data.
This means that your company needs to reframe how it thinks about data and transparency.
Be prepared to rigorously assess your company in terms of compliance and adherence.
In the long-term, this will be a really good thing for brand safety, the content experience and hopefully improve trust between consumer and company.
Stay transparent, trustworthy and in a more volatile digital space, make sure you have the processes and preparation in place to protect customer data and respond to breaches.
Make sure everyone in your company, from top to bottom, is on board with GDPR.
If you’re looking for more advice, ICO is creating a phone service for small businesses – giving answers and clarity.
Looking for more tips?
Jump on our mailing list & get digital goodness straight to your inbox; including helpful tips, tricks and the latest articles surrounding marketing, web design and branding.