Is your business ready for GDPR?

New Data Protection legislation is on the way next year. GDPR is far-reaching, so you may need to start planning now to ensure that you are ready on time.

The new regulations are very complex, and the implications will vary depending on the nature of your business. In this article, we will discuss some of the main points, but you can find information on what steps your businesses can take now to prepare for GDPR, on the Information Commissioner’s Office website.

GDPR – which stands for General Data Protection Regulations – will come in to force on 25th May 2018. It replaces the previous Data Protection Act and Privacy and Electronic Communications Regulations.

Like the existing rules, GDPR will be a piece of EU legislation. However, that doesn’t mean that Brexit will give UK businesses an easy way out. The rules will come in to force long before the UK leaves the European Union, and it looks likely that the UK will also adopt GDPR as standard after Brexit.

How could GDPR affect your business?

If your business sells to individuals, the rules will apply to you in full. If your business sells purely to other businesses, the full picture is not yet clear, but you should assume that it will apply to you in full. After all, the lines between personal and business data are already very blurred, with many freelancers and micro-business owners using the same email address and mobile number for personal and business communications.

Depending on the nature of your business and the ways you handle personal data, you may need to appoint a trained Data Protection Officer. You may also need to make changes to your technology to ensure that you meet the new, wider requirements for the way that data is handled. In summary, all customer data must:

  • Be processed lawfully
  • Be collected for legitimate purposes
  • Be limited to only what is necessary
  • Be accurate
  • Be retained only as long as necessary
  • Be stored securely

If you fail to comply, fines could be payable. In extreme circumstances these can be as high as 20 million Euros, or 4% of your worldwide revenues for the previous year (whichever is higher). In reality though, this sort of figure is highly unlikely to apply to small businesses.

How GDPR will affect marketing

Marketing will be one of the areas most affected by GDPR for many businesses, and it will present some significant challenges. If you have an existing database of customers, you can only continue to market to those customers if you can provide clear, explicit proof that they opted in to your marketing, and that they knew what they were opting in for. If for example they filled in a form on your website and clicked a button to subscribe, this will not be adequate proof any more.

Many businesses – even some who followed good practice under the current data protection regulations – may end up effectively starting again from scratch, with no marketing database. One way round this is to start asking for specific opt-in instructions from your customers now.

This process, which is becoming known as ‘re-permissioning’ enables you to write to all opted-in customers now, to get a more detailed, explicit opt-in which you can store in case you need to provide evidence of the opt-in at some point in the future.

You will need to ask subscribers to email you from their address, explaining what they are signing up for (the type of marketing and the frequency with which you will send each). They will also need to state that they give you permission to market to them until further notice.

How do you ensure that your business is ready for GDPR?

GDPR is the most prescriptive, detailed piece of data protection legislation ever imposed on UK businesses. The implications will vary for each business, and this article is intended only as a very simple overview of the considerations.

You should look for wider advice on GDPR and start building an implementation plan to ensure that you are ready for May 2018, and that where possible you get processes in place well before that date.

We will be preparing for GDPR over the coming months and so, although you have opted-in to receive this newsletter in the past, in line with the new regulations we may be contacting you again in the near future to ensure you wish to continue to opt-in!