GDPR for Business: What is GDPR and How Does it Impact You?
What would you do with 20 million Euros? How about 4% of your annual turnover?
There’s one thing we know for certain that you won’t want to do with it: pay the larger of the two as fines to the European Union. That’s the risk facing businesses of all sizes in the UK now that the General Data Protection Regulations (GDPR) have come into effect.
You’re here because your professional services firm wants to stay compliant with new data protection compliance regulations that allow you to build customer relationships and generate leads online in an ethical manner.
In this post from our series on GDPR and Your Business, we’re going to explain GDPR, the impact on your business and how you can become compliant.
What is GDPR?
As stated above, GDPR stands for the General Data Protection Regulations and affects all companies controlling and processing data within the EU. It is designed to strengthen the data protection provisions previously in force under the Data Protection Act 1998 and, as an EU regulation, it has a direct effect on UK law. Because this regulation encompasses all global firms dealing with EU-based customers, it supersedes the UK-only Data Protection Act of 1998.
The law aims to further protect online consumers by clearly defining the rights of an individual within the EU when it comes to their data. Importantly, the definition of personal data also includes company data, so the law is of relevance to all businesses, both for B2B and B2C organisations.
If you want to learn more about the fine details of GDPR, our extensive GDPR guide on this topic makes for a valuable read that all marketers find useful.
How Does GDPR Impact My Business?
As a business, the crux of GDPR comes down to how you control and process all data - namely this must be done lawfully and transparently.
Data can only be used and held for a specific purpose and the consent given must relate to that purpose. Under the existing Data Protection Act companies often rely on generic ‘marketing’ consent or even presumed consent unless you opt out.
This generic consent or opt-out consent does not comply with GDPR. Under GDPR, you must have documented and evidenced consent for every purpose - if 'consent' is the stipulation that you outline (but we'll get into that later). For example, if someone opts into email marketing you cannot use this consent to send them a letter or call them or their company.
The definition of personal data is also being expanded under the GDPR regulations. Personal data is now defined as any information that can be used to directly or indirectly identify a person or company. Things such as IP addresses and cookies, for instance, can refer back to data subjects.
For many companies, especially those relying on more outbound methods of marketing, this is going to be a significant and potentially costly change to implement.
As mentioned before, your business must choose which route to go down when it comes to housing personal data. The one we’ve mentioned is consent but there are other stipulations that you can legally declare in order to store data for the purposes of contacting individuals or businesses.
As mentioned, you can store someone’s data for the purposes of contacting them if you have specific consent from them.
You can store and process their data if you have a contractual obligation to that person or company.
You can claim a legitimate interest as the reason you’ve processed someone’s data unless that interest is overridden by fundamental rights.
If you have reason to believe that your processing of data is of vital interest to the individual or company.
If it’s in the public interest, you are able to process personal data.
If you are legally obliged to process the data, you will be compliant with GDPR.
Once you declare which route your business is going down, you cannot change your mind. For example, if you send out a blanket consent email and lose a large majority of contacts from your database, you cannot then change those contacts to legitimate interest, for example, unless you previously declared so. When working with legitimate interest, you will need to create a Legitimate Interest Assessment (LIA) to protect yourself against any complaints.
How Can My Business Adapt to GDPR?
The deadline for GDPR compliance was back on 25th May 2018 so, by law, you should have already made sure that your business and its processes are compliant with the latest regulations. However, many companies are still unsure exactly how to implement these changes. The first steps to adapting to GDPR is to ensure that everyone in your organisation understands the regulations, their impact and the changes required.
The ICO recommends that every business designates a dedicated Data Protection Officer (DPO). Some large-scale businesses handling sensitive data are mandated to by law; nonetheless, the ICO recommends all businesses have a trained DPO to act as the internal expert and ensure business compliance.
We recommend completing an audit of how your business currently stores and collects data, focusing on the consent that is given. This becomes especially important if you employ mainly outbound marketing methods.
The good news is that Inbound Marketing already broadly follows the GDPR principles, customers are coming to you requesting information and inherently providing consent. However, that does not mean that you are automatically compliant. Your processes still need reviewing if you haven't done so already. This includes ensuring you have:
- An audit trail of consent which can be used as evidence against any complaint
- A double opt-in system that only uses consent for one method of contact at a time
- A method for deleting and removing data at the request of the data subject
- Consent must also extend to IP and cookie tracking, and also ensure you have guardian consent for any data held on children
Implementing all of these safeguards can seem daunting but, with the deadline already long gone, you have no choice but to ensure you are compliant immediately.
Does Brexit Affect GDPR?
No, all EU laws have a direct effect in the UK and, as part of the Great Repeal Bill envisaged for Brexit, we are incorporating all existing EU laws into the UK. So, GDPR will still apply after Brexit.
Full compliance with GDPR is no small task, and professional services companies are likely to want to be addressing data protection issues and risks.
Throughout our series on GDPR, we’ll be addressing a variety of matters to help your firm comply with the latest data protection regulations.