In April 2016, the European Parliament passed Regulation (EU) 2016/679. This is the General Data Protection Regulation (GDPR) and it’s going to have a massive impact on how we store and use data. We’ll be exploring some of the key topics in more detail over the coming weeks and months, but to start us off, here’s a brief overview of the GDPR and its likely effects.
What is the GDPR?
The GDPR is the EU’s General Data Protection Regulation. It covers the same general ground as the UK Data Protection Act (1998) (known as the DPA) and replaces the earlier EU data protection regulations, but expands the scope of both. Critically, it enshrines new rights for individuals in law and sets up a new avenue of redress for those wronged.
What’s the point of it all?
The GDPR is intended to replace both the existing EU regulations on the subject and the various regulations that the EU member states have put in place. This means that there’ll only be one set of regulations to follow, instead of dozens. It is also intended to protect individuals from the more pernicious effects of Big Data and algorithmic decision making.
Will my company be affected?
How can you be sure? You don’t even know what I do.
This new regulation affects any company that holds any data – including just a name or email address – relating to an EU citizen. Right now, that means that any business with a list of business contacts or customers which includes even one Brit – so every company in the UK – will be affected.
Can the British government reject this new law?
No. The GDPR is a regulation, not a directive, which means that it comes into play without having to be ratified by each government. The British MEPs and other policy wonks in Brussels have already had their say in shaping it – it’s now a done deal.
But we’re leaving, right? Will Brexit save us from the GDPR?
No. The UK government has confirmed this, and in any case the law covers foreign companies holding and processing data concerning EU citizens as well as companies inside the EU. Unless you’re prepared to be very stringent about who signs up to your mailing list, buys from your online shop, etc, you’ll inevitably have EU citizens on the list even after Brexit. Remember – there are lots of EU citizens living and working in the UK, so excluding them would be difficult and more probably impossible. This new regulation will affect businesses around the world as the EU goes to bat for the privacy and ‘right to be forgotten’ of its citizens.
When does it come into law?
The GDPR comes into force next year, on 25 May 2018
What happens if I don’t comply?
As the law isn’t yet in place, it’s not entirely clear what the sanctions will be and how rigorously they’ll be enforced. However, the EU regulation includes provision for fines up to 20 million Euro or 4% of a company’s global turnover, whichever is higher. Either would be a big blow for any business, whether you’re a digital marketing company in Hampshire or a global name like Coca-Cola.
Well, it seems there’s no way out. How can I tell if I need to make changes?
If you have data that you manage under the existing Data Protection Act (DPA) including employee data, customer data, and other records, you should check to ensure that regulations haven’t been tightened or changed in ways that will affect you. This is particularly important if you hold sensitive personal data (e.g. medical or financial records, information involving children or vulnerable adults).
My data is managed by someone else. Do I need to worry?
Yes. The GDPR will affect you as a ‘controller’ or ‘processor’ of information. For example, let’s imagine you are a small Hampshire business and have a list of former client email addresses. If you keep it in house, you’re both the ‘controller’ and ‘processor’ of this information. If you work with us on your digital marketing strategy and we manage your email marketing list, you’re the controller and we’re the processor. In the latter case, you still need to make sure we’re handling the data correctly (which we would of course) but you can trust our assurances instead of doing the leg work yourself.
How do I find out more?
Glad you asked! Get in touch with our team to get a personalised analysis that will tell you how your online business, digital marketing and website can be safeguarded or follow our blog to read more about the GDPR over the coming weeks and months.