The GDPR (General Data Protection Regulation) is a new data protection regulation which allows greater protection for consumers and gives them more control over how their personal information is collected, stored, shared and used.
The key requirements of the GDPR are:
- A requirement for companies to collect and hold informed, specific and ongoing consent for all types of data processing and direct marketing campaigns.
- When and how consent was given should be stored by businesses so it is quick and easy to find if requested to do so.
- Consent cannot be assumed and before direct marketing is sent you must have freely given, explicit consent to store and use personal information.
- New rules will be enforced which will affect how long you can store client information for and what personal information can be collected, consumers have a “right to be forgotten”.
It’s important for businesses to consider how data is collected, processed, stored and shared in preparation for the new data laws. A communications audit may be useful to identify potential risks.
Existing customers must be re-assured that the information they have provided will be secure and their privacy protected. By being open about the communication they will receive will re-affirm their consent and improve customer relationships. The GDPR will also see changes in B2B communication with individuals via their workplace contact details. The new rules are to protect the miss-use of data and will mean the ‘opt out’ option is not enough to assume consent.
Consumers have an expectation when providing businesses with personal information and the new laws will ensure the expectation is fair and individual’s data is not misused. When making an online purchase customers expect to provide a name, email, and payment details so they can receive the product. It is fair for them to assume they will be sent updates on their purchase or occasionally in the future about similar products or with relevant information. This should all be made clear at the time of providing the data so people know exactly how their details will be used. It’s important to give people options when requesting details both on what information they need to supply and their preferences on future communication.
Best practice for handling personal data.
- Only collect the data you need and will use.
- Be clear and transparent about what the data will be used for.
- Give consumers options to withdraw their data or to decide how they want you to use it.
- Have secure processes in place to protect personal data and the consent to use the data.
GDPR is set to come into effect in the UK from 25th May 2018 and any data breaches could carry huge fines. The new law plans to protect individuals against companies misusing their data and giving them back control.
Stuart Crook, a solicitor specialising in data protection and information law from Stephensons, said: “As the use of customer databases, cloud computing and on-line transactions continues to expand rapidly, the digital age – together with the privacy and security issues that arise for its consumers – is forcing law makers to greatly strengthen data protection laws and the penalties that can be imposed upon companies who don’t comply.
“With potential fines of up to 4% of annual turnover, it is essential that companies take immediate steps to prepare for GDPR.”