25 May 2018 sees the implementation of the General Data Protection Regulation (GDPR).
It is a new piece of legislation brought in by the EU, aimed at strengthening the collection and use of personal data for EU citizens and residents within the EU and throughout the world. A similar system currently runs within the US called the Privacy Shield Framework.
Who does GDPR affect?
GDPR will affect 2 audiences: ‘controllers’ and ‘processors’.
‘Controllers’ are defined by the GDPR as anyone who collects personal data e.g. individuals or organisations who maintain websites, apps, databases or Customer Relationship Management Systems (CRMs).
‘Processors’ act for the controller and process the data e.g. third-party applications such as MailChimp, Salesforce and Campaign Monitor.
Further information about GDPR legislation can be found here.
(We warn you in advance that it’s a hefty document, containing 99 articles).
With Brexit, will GDPR still affect my company/organisation?
GDPR legislation will come into effect before the UK leaves the EU, 25 May 2018 with the UK leaving the EU, 29 March 2019.
Additionally, the UK Government has confirmed that they will use the Great Repeal Bill to adopt all European laws with GDPR legislation included.
“By converting the acquis into British Law, we will give businesses and workers maximum certainty as we leave the EU. The same rules and laws will apply to them after Brexit as they did before.”
— UK prime minister, Theresa May.
Great Repeal Bill?
The European Union (Withdrawl) Bill aka The Great Repeal Bill was published on 13 July 2017 with the purpose of revoking the UK’s membership of the EU. It contains 19 clauses and has 8 schedules before taking effect.
Source: Institute for Government
A shortened version of ‘acquis communautaire’ which refers to the accumulated legislation, legal acts, and court decisions which constitute the total body of EU law.
Do I need to adhere?
If you’re a company or organisation that works within the EU and collects personal data then you will need to comply with GDPR legislation. Failure to comply could result in a financial penalty from the governing authority, Information Commissioner’s Office (ICO). Serious breaches could cost up to 20 million Euros or 4% of annual turnover from the proceeding financial year. Brexit as mentioned, will not affect this as the UK will still be within the EU.
How do I make my company/organisation GDPR compliant?
We’d first advise that you carry out a personal audit of how your data is captured and processed throughout your company structure e.g. website, apps, newsletters, CRM, databases etc.
Next, look in-depth at your stored data and ensure that each person has given permission (manual additions will need to be deleted) and how to deal with requests from individuals requesting to have their data removed. To aid this task it may be worth designating a Data Protection Officer (DPO) from your staff, for large-scale processing you may need to outsource the work.
Once you’ve completed the first 2 tasks, develop an internal procedure for processing data which will ensure future GDPR compliance and update your privacy policies informing your brand audience how you collect and use data.
We realise it may seem a daunting task complying with the GDPR legislation but verifiable consent for the protection of data, we can only see as a good thing as it will result in less spam and more relevant communication.
For help complying with GDPR legislation, please contact us:
02920 09 19 29