In May next year, the General Data Protection Regulation (GDPR) comes into effect for any companies doing business with the EU. To anyone thinking that Brexit means the UK shall be spared the regulation, I’m afraid you’re mistaken because it will be applicable to the UK regardless.
You might be asking yourself if there is any reason for your business to concern itself with the new rules and the short answer is simple: definitely. As long as you have anything to do with consumer data, then your business needs to be prepared for the regulations or risk facing a hefty and potentially debilitating fine.
The new rules come at a time when concern over the safety of sensitive data has reached its limit and governments are demanding businesses take steps to combat risks. The GDPR, which relates to online customers’ personal and sensitive data, applies to all businesses planning to do business within the EU that collect, use, or share data, i.e. most of them. Specifically, the regulation applies to both ‘controllers’ (dictates how the data is used) and ‘processors’ (implements the controllers’ plans) of data, placing obligations on both. Processors are obliged, for example, to maintain records of personal data and processing activities, while controllers must take steps to ensure contracts with processors comply with the GDPR.
The new rules attempt to ensure greater transparency when it comes to a customer’s data. A consumer’s personal data can only be shared and used by businesses when the consumer has given direct consent. The new regulation also changes what data is defined as ‘personal’ and now includes online identifiers like IP addresses, despite the fact that IP addresses aren’t considered especially useful for identifying an individual. For businesses hoping to sell or purchase data, they should be prepared for new subsections in contracts where the seller must specify where the data has come from. They might even be required to hire a data protection officer if they are dealing with sensitive information or large volumes of data.
Of course, having to request permission to use consumers’ data will require some invasive notifications for business websites. Similar to the pop-ups that come up on sites warning users about cookies, businesses will have the opportunity to explicitly tell users about the new GDPR regulation and ask permission to use their data. Businesses don’t just need to stay ahead of the new regulation internally, but also make sure any suppliers they work with are clued in and ready to help them comply. This goes for ad agencies, design agencies, and their web developers (who would need to implement the aforementioned pop-ups). Speaking of, keep your eyes glued to the Dusted blog for part two of our guide to the GDPR, where we’ll be outlining our own process, plan, and legal strategy.
Businesses need to get in touch with their lawyers and address their terms of business in order to protect themselves. The fines for disobeying the GDPR can be up to 4% of global turnover, so it is definitely not something businesses – especially small businesses – can afford not to plan for. Only 30% of businesses are preparing for the new regulation so far, so we recommend that, if your business is subject to GDPR, you get started on making a plan now before it’s too late.