General Data Protection Regulation

Introduction

The times of freely obtaining data are well and truly over, highlighted by the introduction of GDPR across Europe. These new sets of rules & guidelines are set to redefine the way companies use and store data, with severe penalties for those who refuse to comply. The aim here at Umi Digital is to ensure you are not left on the darkside when the clock strikes midnight on the 25th May 2018 and to keep you on the correct side of the data police!

What is GDPR (General Data Protection Regulation)?

The GDPR was confirmed in April 2016 by the European Parliament after four years of deliberation with the aim of strengthing the rules of obtaining consent when it comes to the process of obtaining data. The need of change comes from the fact that data and its need for protection have become one of the most important and highly discussed issues from the past 2 decades combined. Advancements in technology now mean that data is extremely easy to obtain and has some of the highest levels of ROI from which companies can benefit from, with strong statistics showing it often leads to huge jumps in sales & revenue.

In a nutshell, data gives companies a new way to find out current customer movements and feelings. This overall helps them to make smarter business decisions that can potentially help them to achieve greater sales numbers. This crave for data often opens customers up to bombardment from companies after personal information for their own financial gain, or to simply resell onto other companies.

This is where The Freedom of Information 2000 was initially introduced by the government, to help control and regulate the different ways companies could gather data and also determine the type of data that can be kept. These regulations gave customers the right to know exactly what data was being kept and to uphold the right to control their data, however, these rulings were set 20 years ago which obviously causes huge issues, down to the rapid growth in technology and the multiple new ways data can be collected. This plus the fact that most individuals lose track and have no idea where it goes has allowed multiple loopholes to develop for companies to exploit. This is where the GDPR is set to come in to help govern the use and storage of customer data and to overall make the process of obtaining data freely harder and much more expensive.

What will it mean for companies?

This will have a direct impact on how businesses as the GDPR primarily focuses on how much money companies can be fined who mistakenly (or intentionally) fails to comply with certain legislation. In contrast to previous years where the severity of the penalty depended on the extent of the breach with a limit of £500,000. However new rules now mean that companies can be forced to pay 4% of their yearly global turnover or up to a 20 million euro fine, depending on whatever is greatest, which has understandably sent shockwaves through all sizes of businesses, from local suppliers on your high street to the “big dogs” such as Apple and Google.

The new rulings also give customers much higher levels of authority & rights when it comes to their data. Thanks to the introduction of GDPR, customers now hold the legal right to ask any business or organisation to see all pieces of data kept about them, within 3 months of asking. If companies fail to provide this, they could be exposed to a formal investigation and a severe fine.

How companies can prepare for the GDPR regulation changes

1. Establish if your organisation is “data controllers or data processors”
   Prior to the GDPR coming into place, only data controllers could be held accountable for data procedures at organisations, however, with new GDPR regulations data responsibility is also carried onto data processors too. This, therefore, will require organisations to check if they fall under data processors or handles to fully protect themselves and their employees. This difference between data controllers & processors has caused some confusion for business, according to Article 4 of the EU GDPR. The differences of data processors and controllers are shown below:
   A data processor –
   “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” 
   A data controller –
   “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
2. Create a clear and understandable Privacy policy for customers
   This may be as simple as outlining what the company intends to do with the customer’s data and the purpose of why they are required to keep it. This privacy policy document will need to extremely understandable without any hidden agendas or policies, that ALL customers will be able to interpret.
3. Prepare your staff for changes
   The GDPR will have a huge impact on an organisation and everyone member of staff inside of it. It is imperative that every member of staff is trained to follow certain GDPR rules/regulations as a mistake can cost an organisation large amounts of money through fines and penalties and overall reputation. Therefore staff training may be a prudent move to ensure every worker knows the do’s and dont’s when it comes to collecting and storing data.