21 May 2018

What is the General Data Protection Regulation (GDPR)?

Have you noticed the influx of emails to your inbox from businesses desperate to get your opt in before 25th of May? They are coming in thick and fast, all because of the upcoming General Data Protection Regulation (GDPR). Everyone is talking about ‘GDPR compliance’ – but what does it really mean?

It can be really confusing for small businesses to work what it is they actually have to do to become GDPR compliant. In this blog, we’ll demystify the new regulation, what it might mean for you, and why compliance is a great thing for your business!

What is it?

The GDPR is a huge overhaul to update data privacy regulation, defining changes in how your business collects, stores and processes the data it holds on people. After nearly two years on planning, the new regulations come into force on the 25th of May 2018. The GDPR has been introduced to the European Union to provide a more consistent regulation, aiding greater protection to individuals by extending their rights regarding their personal data.

Though, for some countries, this will be a significant change, the UK has largely taken an advanced approach to data privacy for some time. Due to the UK’s Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR), some of regulations included in by the new legislation are already being adhered to by UK businesses. As a result, despite the scaremongering and apparently high levels of confusion and complexity, the reality is that the GDPR doesn’t present anything radically different to what we have now. Some of the main differences are:

• Increased rights to individuals, and improved control for them over their personal data (e.g. individuals can request to see what personal data you hold on them, or can request you delete all personal data you hold on them).

• A greater requirement for organisations to be transparent about how they use personal data (e.g. you must be much clearer with people about what data you need, why you need it, how long you will keep it, who you may share it with and so on).

• More onus on organisations taking data protection seriously and being able to demonstrate clear accountability (e.g. you need to be very clear on roles and responsibilities in terms of data protection).

• An increased emphasis on processing of personal data being fair (e.g. consent for processing is now only valid if freely given, specific, informed and clear consent, meaning no pre-ticked opt-in boxes and no ambiguity).

Why comply with the regulation

Firstly, if you are an organisation – of any size or form – processing personal data, then compliance is not optional and there are great risks to those businesses who fail to comply. You have probably read about possible fines reaching 4% of annual turnover or €20m, however the likelihood of this for most small businesses is low. The regulator, the Information Commissioners Office (ICO) is trying to encourage the right behaviours rather than sanction businesses (last year saw less than 1% of over 17,000 investigations ending in fines). However there are more likely negative consequences of non-compliance:

• Larger organisations are increasingly scrutinising businesses in their supply chain regarding their compliance. In some instances, in order to manage their own risk around GDPR, large enterprises have begun to stop working with businesses who are non-compliant. With 80% of small businesses in the UK forming part of someone else’s supply chain, it is vital that businesses at every stage strive for complete compliance.

• With high profile breaches of privacy like Facebook/Cambridge Analytica, customers are becoming more informed as to risks to their privacy, which is starting to influence their buying decisions i.e. they are becoming less likely to buy from an organisation that can’t protect their privacy.

On a more positive note, there are potentially significant benefits to business from the GDPR. Understanding who your existing and prospective customers are and what they want is fundamental to strong and effective marketing. GDPR makes you think about what data your business really needs and why, so ultimately you should end up with much higher quality, focused and usable data that will help you market your business more effectively. Research carried out a few years ago identified small businesses could see increased revenue of 15 to 20% through more intelligent marketing, to put that in real terms you’re looking at circa £100k increase on the average turnover of £550k.

Good compliance can also be a differentiator against others; if you can demonstrate you look after personal data better than your competitors, you are more likely to win business from both end customers and suppliers.

How we can help

If you’re still unsure of what to do we can help. Our DataCAT subscription service is specifically designed to provide small businesses with a quick and easy solution to help get and stay compliant. This includes:

• A suite of policies, procedures, and tools, providing clear and easy to follow guidance for what you actually have to do to comply with GDPR.

• Ongoing updates to the policy suite to help you keep pace with changes in the regulation.

• Technology to add to your website, allowing you to communicate to all interested parties how you process personal data, and allowing you to obtain and manage consent effectively.

• An affordable annual subscription of £199

Contact us today to find out more!