General Data Protection Regulations (GDPR)
Are you ready for the new General Data Protection Regulations (GDPR)?
It is one of the biggest shake-ups in data protection laws. The way businesses collect, manage and store personal data will change forever. Regardless of Brexit, the EU’s new data protection law will affect all businesses that manage EU citizens’ data
Have you prepared your business ready for its introduction on 25 May 2018?
What is it?
The General Data Protection Regulation (GDPR) is a framework of policies on how organisations must protect the data privacy of individuals within the European Union (EU). These policies are currently governed by the Data Protection Directive (Directive 95/46/EC, established 1995). The GDPR goes into effect on May 25th, 2018 at which point SharpSpring intends to be fully compliant with the requirements of the regulation.
The regulation impacts organizations that fulfill at least one of the following:
- The organisation is based in the EU and controls or processes personal data for individuals in the EU.
- The organisation controls or processes personal data for individuals residing in the EU.
- GDPR replaces the Data Protection Directive (Directive 95/46/EC) when it goes into effect on May 25th, 2018. The Data Protection Directive was established in 1995, and the reason for the push to GDPR are the vast changes that have occurred in technology and data since the time of its inception.
- GDPR applies to all organisations that control or process personal data for individuals residing in the EU, regardless of the organisation’s location. Previously under the Data Protection Direction, there was ambiguity on applicability to organisations outside of the EU.
- GDPR introduces Data Portability, requiring data controllers to provide individuals personal data concerning them in a commonly used and machine readable format.
- Valid consent must be explicit for collected data and the intended purpose. Using a confirmed opt-in list helps ensure compliance
For example, it is no longer going to be acceptable to operate in the grey areas of adding email addresses on business cards to b2b lists or confusing opt-out clauses in poorly worded sign-up boxes. The same goes for all those postal address, telephone numbers etc which have been amassed over the years through competitions, polls, events and perhaps interactions with your brand through a website or mobile app.
What & Why double opt-in?
- Double Opt-In refers to a method of collecting Contact information, where Contacts must take two actions to confirm their willingness to provide such information. If you have ever filled out a form on a website and then received an email that said something like “Click here to confirm your subscription”, then you have already been a part of a double opt-in process.
- Double opt-in helps to ensure that the Contacts filling out our forms are the actual Contacts themselves. Without a double opt-in process, an individual could simply fill out our form with erroneous information (or the information of others) and that information would then be used for our mailing lists. If these contacts did not want to receive information on our services or products, they could Unsubscribe from the emails or worse, mark them as SPAM. If the email address provided was inaccurate, this could impact our Hard Bounce percentage when sending.
- Since a double opt-in is tied to a Contact clicking on an email after filling out the form to confirm their information is correct, this helps to mitigate the risk of sending email campaigns/communications to those who never wished to receive the information.
Some key differences of GDPR and Data Protection Act (DPA)
- DPA – Applies to the UK only.
- GDPR – Applies to the whole of the EU and to any global company holding EU data.
- DPA – Enforced by the Information Commissioner’s Office (ICO)
- GDPR – In the UK compliance is to be monitored by a Supervisory Authority
- DPA – Fines for non-compliance can be up to £500,000 or 1% of annual turnover
- GDPR – Fines for non-compliance can be up to €20 million or 4% of the annual turnover
- DPA – With current legislation there is no need for any business to have a dedicated DPO
- GDPR – A DPO is mandatory for an organisation with 250+ employees
- DPA – There is no requirement for an organisation to remove all the data they hold for an individual
- GDPR – An individual will have the ‘Right to erasure’, with all data / records / information etc being permanently deleted
- DPA – The ICO have always promoted Protection Impact Assessments (PIA) but they are not a legal requirement under DPA
- GDPR – PIAs will be mandatory and help an organisation to ensure they meet an individual’s expectation of privacy
- DPA – With the current Data Protection Act data collection does not necessarily require an opt-in
- GDPR – Individuals must opt-in when data is collected with clear privacy notices. The need for consent underpins GDPR and must be able to be withdrawn at any time
Points to prepare for GDPR?
- Staff about the law changing, so they are aware
- Organise information audit
- Review all privacy notices and make any necessary changes in time for GDPR deadline
- Check your procedures and update them.
- Update existing consents to meet GDPR
- Implement procedures to detect and report a personal data breach.
- Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments, along with the latest guidance from the Article 29 Working Party, and establish when/how to implement within your organisation.
- If you operate in more than one EU member state, you should determine your lead data protection supervisory authority. The Article 29 Working Party guidelines will help.
If you need any help with increasing your digital activities or tips on GDPR or on how to make more opportunities for your business, then please get in contact with us here at Network Intellect