Marketing: GDPR – Is your business prepared?
On the 25th of May 2018, the new General Data Protection Regulations (GDPR) will come into effect, with businesses in the industry – large and small – being required to make changes to the way they handle data. Referred to as the biggest shake-up to data privacy in the last two decades, failure to comply with the new legislation can have big consequences for companies. Jason Turner of Data2Action gives THIIS readers a brief overview of what the legislation is and some tips on how to avoid the pitfalls on non-compliance.
At a recent business networking event, Angus Long, owner of Impression Marketing, met up with Jason who was giving a presentation on GDPR and the impact of breaching the new regulations.
As a former director of the BGL group, owners of brands such as ‘Compare the Market’ and ‘Budget Insurance’, Jason has unparalleled knowledge and experience in the commercial use of data and more importantly, how to turn this important asset into real value.
“The new GDPR regulations are a significant elevation in data protection. It’s been over 20 years since the data protection act was introduced and in that time there have been some significant changes both in technology and in the way we now interact and communicate both in business and socially,” explained Jason.
“In today’s modern environment, businesses use a vast array of databases, mediums and equipment, both physical and virtual, to hold and processes personal data on almost everyone.
“Indeed, according to a report from IBM Marketing Cloud, 90 percent of the data in the world today has been created in the last two years alone. That’s 2.5 quintillion bytes of data a day! And, says the report, the data growth rate will likely accelerate even more.
“This, coupled with the increasing risk of accidental and deliberate data breaches, rise in fraud, identity theft and unwelcome contact has meant it was time for a radical shake up of how personal data is to be collected, stored and processed.”
The origins of the GDPR lie with the EU, which has long recognised a need for a more coherent and harmonised approach to data protection across member states, combined with a desire to increase the individuals’ control over how their data is collected, used and stored.
Even though the UK has elected to leave the EU, GDPR has already been passed and as such, UK businesses still need to comply. In fact, the Government is already working on adopting the principles of GDPR legislation into UK law under the proposed ‘Data Protection Bill,’ meaning the new regulations are here to stay.
It is fair to say, almost every single business and organisation, large and small, will be required to adopt and comply with this new data protection legislation. However, it is also probably fair to say that the homecare industry may well be high on the regulators radar, given the large amount of data on elderly, disabled and vulnerable people held.
Given that the penalties for non-compliance can be fines of up to four percent of a company’s turnover or €20 million, it is undoubtedly serious business.
But perhaps, consequences of failure are much more far reaching than a fine. With the ‘human factor’ often identified as the greatest risk to security, organisations that fail to adequately protect personal data could well have their brand and reputations damaged.
In today’s digital era, it is all too easy to lose consumer trust and confidence when personal data is compromised.
What does this mean for business owners and businesses?
Jason believes the first thing people should do is not to panic and secondly, try and look upon GDPR compliance as not so much regulatory red tape but more as a commercial opportunity.
The six-point GDPR checklist nb. Can we do something interesting with this checklist design-wise
Jason suggests business owners should work through this checklist to help navigate their GDPR journey:
Conduct a comprehensive data audit and find out what data is held, where it is stored and what you are doing with it. This is fundamental because if you don’t know what you have or where it is, how can you protect it?
Understand and become fully aware of the rights and principles of the new data regulations. If you are a business that processes personal identifiable information, you will need to deliver a detailed and structured plan. At its very heart, GDPR wants to ensure that organisations are much more accountable and as such they need to proactively demonstrate that:
- Any data collected is processed lawfully, fairly & in a transparent way by organisations
- Any data collected is for specific, explicit & authentic purposes
- Any data collected is relevant & limited only to what is needed
- Organisations communicate clearly why data is being collected
- Organisations keep data and records accurate with data only being retained for as long as necessary
- All data is processed appropriately to maintain security and organisations manage and maintain documentary evidence demonstrating their compliance.
Have in place, clear and robust documented policies and processes. The plan will need to consider the people, procedures and technology aspects of your business and should start with identifying all the data you process, ensuring you have a legal basis to be capturing and using it in order to demonstrate you are, and have been, proactive in addressing the regulations and keep documentary evidence of how you are complying.
As your plans progress, it’s imperative that you engage and educate your teams and you all understand the revised rights of Data Subjects, plus the key principles that GDPR now place on businesses handling their data.
Re-audit and re-evaluate on a regular basis.
Look upon compliance to GDPR as offering a commercial advantage. Become compliant before your competitors and promote the fact. Consumers will be more assured and Local Authorities may well take compliance into consideration when evaluating suppliers for public sector contracts.
Don’t worry or struggle. There are a great many websites and organisations offering information and advice on GDPR. But, like most things, the quality will vary, so it’s important any advice or information comes from an authorised or accredited source.
Data2Action have a long pedigree of leading businesses in heavily regulated environments and are used to dealing with regulatory change. Our team of accredited GDPR practitioners can support businesses with a wide range of services including: workshops and staff awareness training, full project management support, independent review of processes, systems and plans. For more details contact firstname.lastname@example.org or 0333 202 6397
A mobility retailer’s approach to GDPR
TPG DisableAids’ Alastair Gibbs highlighted his companies approach to GDPR.
“Here at TPG DisableAids, we started planning our compliance with GDPR many months ago. We started by identifying all of the places we hold anything that could be considered as data.
“This uncovered a number of localised records that were uncontrolled and so it gave us the opportunity to centrally store that information. We then determined the reason for holding that information and rationalised its purpose.
“The one thing that it did bring to the fore is the fact that if we have sold to a customer a medical device, they do not have the option of having their records deleted so that we can find them in case of a possible product recall.
“We have been asking our customers for their consent to be contacted by us for some time and now feel comfortable in our readiness for full compliance.”