What your business needs to do to comply with the new GDPR legislation

The new GDPR legislation (General Data Protection Regulation) was approved by the European Parliament in April 2016. It will replace national laws, unifying data protection and easing the flow of information across Europe. It comes into force on May 25th, 2018 at which time all UK organisations, however small, will have to comply with a new set of clearly defined provisions.

The UK Information Commissioners Office has made it clear that despite BREXIT, companies in the UK will still have to comply with the requirements of the GDPR.

This affects large corporates and small companies (SMEs) in the UK (of which there are 5.3 million). There are very few companies, large or small that do not store personal data about clients, prospects and staff. Invariably, this data is held in a variety of computer systems, however small, often stored in a mix of different formats, local and Cloud.

Even start-ups who acquire basic data lists will need to adhere to the new rules.

A Register?

GDPR legislation will create some work for even the smallest business. As a first step it will be advisable to create a comprehensive Register of what data is held and why, to record details of how long it is intended to be held, and to get permission from Consumers (Data Subjects) for certain classes of data to be stored, especially sensitive items for example such as information on health, religion, ethnicity and now, biometrics. Videos and images will be included, as well as some aspects of Social Media data and any collected information on devices being used such as the IP address.

For instance, small volumes of personal data may have been built up within paper files, in spreadsheets, in CRM systems, in mailing systems such as mailchimp, in E-Commerce systems such as Amazon, E-Bay Shopify or Infusionsoft, in research systems such as Survey Monkey, or even attached to and held within Xero and Sage accounting systems.

Whatever and wherever the data is stored, every Company that holds Personal Data on “Data Subjects” must do so in an open and transparent manner, only hold it for as long as is necessary, declare why it is being held, and seek permission from every ‘Data Subject’ for its continued use. This is actually an opportunity to strengthen engagements with Consumers, by asking for permission to ‘keep in touch’ for certain purposes, and getting any inaccurate data corrected.

Privacy Impact Assessments.

Transactions – engagements, product or service sales that businesses have made – will of course be of variable time duration. A holiday booked in a Devon hotel and taken six years ago; a house purchase made 10 years ago with details held by an estate agent; the names of students buying a product via an E-Commerce site where the business is still holding their personal details after 3 years; matter files at legal or accounting practices where partners have stored some data in paper files for 30 years and are now entering this into a new CRM system; new Cloud system based data held in applications such as salesforce.com.

There is an impact here on everyone’s privacy that needs to be assessed.

The penalties for GDPR legislation non-compliance are much more onerous than before. Figures of 4% of turnover (not profit) are indicated. In another view, larger organisations could face fines of up to £20 million.

Tackling GDPR with excitement – an opportunity to plan to sell more.

As a Data specialist business we have many years of experience aggregating and analysing client and prospect data in depth for a range of business activities – and so are ideally placed to assist organisations address the issues surrounding GDPR legislation. Our consultants come from an array of industries and business disciplines so are very capable of carrying out an initial GDPR Register build, and Privacy Impact Assessment.

There is a positive outcome too. If businesses understand more about their data sources, management controls and aspirations, they will be able to move beyond just doing a register exercise. They can use the investigation as an opportunity to extract, merge, clean and enhance their data…and update their Customer and Client communications. This GDPR process can be used to improve their Sales and Marketing activities, and after all everyone wants more business.

If you’d like to speak to one of our data experts, get in touch for a FREE 30-minute consultation. Call 01392 343111 or email peter.mccann@datawiseintel.com

Peter McCann