Despite Brexit, the EU General Data Protection Regulation (GDPR) is being enforced in the UK from May 2018.
And businesses are scrambling to understand the complex data protection legislation and achieve compliance.
The new rules aim to enhance European citizen’s rights to their personal data and create a streamlined regulatory regime for organisations in an era where unprecedented amounts of data are handled daily.
So here are three ways British businesses are gearing up for GDPR compliance.
1. Data Protection Officer (DPO)
It’s mandatory for large organisations that deal with a specified amount of data to employ a DPO — an information governance professional with a firm grasp of the different rules and regulations that apply in Britain.
But many smaller companies are training a data protection lead — a person with a decent knowledge of the area who will be the first point of contact for staff concerned about potential breaches and best practice.
And it’s likely that this is the first time many smaller firms are considering these issues carefully — creating a steep learning curve for everyone involved.
2. Audit
It’s difficult to decipher whether the data you hold is compliant with GDPR legislation when you don’t necessarily know what you’ve got, where it is, why you have it and what levels of consent were obtained when it was first received.
So Brit businesses are completing data audits to establish the amount of data they hold, the levels of security at storage points and the possible presence of data that should have been securely destroyed or deleted according to data retention schedules.
This process is time-consuming and will involve every staff member to some extent — but it’s crucial for compliance.
3. Consent
It’s always been necessary to obtain consent to communicate with clients for marketing, but GDPR sets a high bar — reasons for collecting, controlling, processing and sharing data must be crystal clear and granular.
The other main basis for client communications is legitimate interest and this applies to most direct marketing activities.
But companies involved in digital marketing have to satisfy both GDPR and Privacy and Electronic Communications Regulations (PECR) and email markers will likely need to operate on the basis of both consent and legitimate interest.
Unpicking these regulations in order to explain what rules apply and when is keeping a significant portion of the British legal profession busy — from solicitors in Leeds to legal advisers in London.
For activities that rely on consent, companies are contacting clients and customers to ensure that the permissions they obtain for processing data are compliant with the high standards set by the new rules.
GDPR will be enforced by the Information Commissioner’s Office (ICO) in the UK, and the fines applicable for non-compliance are significantly higher than those under the previous regime.
Most SMEs will likely never undergo an investigation from the regulator — but if they can demonstrate that they’ve implemented these three steps to compliance, they shouldn’t have too much to worry about.
What’s your organisation’s approach to data protection? Share your advice in the comments section.