GDPR: of the previous financial year, whichever is higher.How

GDPR: What you need to knowThis article contains general tips and information aimed at digital marketers. We strongly advise that you consult legal counsel for full, actionable guidance to ensure that your business is GDPR compliant in 2018.  What is GDPR? At its most basic definition, the General Data Protection Regulations (GDPR), is an EU ruling that has been introduced with the aim of encouraging businesses to develop and maintain strict data management processes and guidelines that serve to protect the personal data and privacy of EU citizens. When does GDPR come into effect? Businesses who operate within the EU must be fully GDPR compliant by 25 May 2018. Who will the GDPR affect? The GDPR will affect any organisation that records, manages or process personal information for any citizen who resides within the EU. What happens if my business is not GDPR compliant by then? Non-compliance will be a costly affair. If your business is audited, or a breach is discovered after the deadline, businesses can expect strong penalties. There will be two types of fines that will be enforced. The first is up to €10 million or 2% of a company’s annual turnover for the previous financial year, whichever is higher.  The second is up to €20 million or 4% for the company’s annual turnover of the previous financial year, whichever is higher.How will GDPR affect my business operations? GDPR has huge implications for businesses of any scale. The regulations are extremely extensive and will have an impact on many areas of your business, whether it’s your marketing department, legal team or IT infrastructure. Some examples may include: Adapting your website contact forms and databasesAuditing your email marketing databases and altering sign-up and opt-in proceduresChanging your internal data management processesTraining staff throughout your business to a revised, best-practice data management standardAmending your business’ privacy policy.What are the key aspects of GDPR that I should be aware of?The full extent of the requirements can be found by visiting: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/However, we have summarised some of the key components of the regulations below. ConsentThe GDPR requires organisations to obtain unquestionable, explicit consent for the use of private data. Consumers must now opt-in to marketing, when signing up to a service, rather than opting out, for example. This consent must also be recorded for auditing purposes.It should also be noted that, personal data may only be used for the activity for which consumer consent was given. For example, if a website user simply opted in to your newsletter, agreeing to monthly updates from your business, you can not use this data for any other marketing activity that the user has not been made aware of or knowingly consented to. The right to be forgottenSimply put. Data must be made deletable upon the request of a user at any time. Data accuracyData records must be kept up-to-date and accurate at all times. This might mean that your website could benefit from an instantly updatable ‘my account’ section, where data can be kept up-to-date by the user. But, it might also mean that your business should be actively engaging with consumers to update their data periodically over their journey with your business. Data should also not be kept for longer than absolutely necessary for the purpose it was acquired for. For example, if you collected data for your annual showcase event, and this event was cancelled, this data should no longer exist, unless you have explicitly stipulated that you will retain this information to contact the consumer(s) about future events and they have consented to you doing so. Where do I go from here? Take action now. The GDPR deadline is fast approaching and, depending on the size of your organization and the level of your interaction with consumer data, there could be a wealth of activities you’ll need to undertake. Here are a few ideas to help you get started on your GDPR compliance journey: Review and audit your current digital platforms and databases- Map out your dataflows- Do you have an audit trail of consumer consent?- Are your contact forms fit for purpose and do they record consent via opt-in?- Is your data accurate? Update your privacy policy and internal data management proceduresFutureproof your plans- Ensure that any website developments, marketing campaigns and business initiatives have been designed to accommodate GDPR, and ensure that all future activities accommodate GDPR too. Where can I learn more? https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdfhttps://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/