The topic of the moment, and the acronym cropping up in every meeting – GDPR of course. It stands for General Data Protection Regulation and is set to replace the out of date Data Protection Act, it is the talk of the town and will affect us all. However, we are constantly getting asked what it means for our clients and what they need to do to be compliant, so we’ve scoured the many articles and gathered all the facts to create the below list of must know elements and sourced a handy guide for what to do next in the process.
• GDPR actually consists of 99 articles.
• Regulations will impact every entity that holds or uses European personal data both inside and outside of Europe.
• Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
• GDPR widens the definition of personal data. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
• Raising the age of consent for collecting an individual’s data from 13 to 16 years old.
• Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition
• The data minimisation principle that requires organisations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected
• Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten. Any requests that individuals make regarding their data must be recognised and executed within one month maximum.
• Firms handling significant amounts of sensitive data or monitoring the behaviour of many consumers will be required to appoint a data protection officer.
• In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.
• It is backed by heavy financial penalties, which can be up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.
• Companies will be expected to be fully compliant by 25th May 2018.
The ICO published steps for businesses to take now in preparation, see below.
EConsultancy also produced a great post to share examples of GDPR compliance in practice. This assists in translating the laws into examples that we can take guidance from.
GDPR: 10 examples of best practice UX for obtaining marketing consent
In all this research, we have tried to establish what this means for the data giants out there. Yet many have yet to address the issue. Google Analytics were quick to note that they are working towards compliant solutions, but we don’t know what they are yet. Mailchimp meanwhile provide us with a guide to GDPR but without too much insight into whether they meet every need of the new regulations and whether there will be changes for their customers. It would appear that all business alike are still at the research and plan stage of dealing with GDPR and that it may be some time before we have definitive answers and reassurance from some of our biggest data processers. We are eagerly awaiting further news and will endeavour to provide insight as others do.