The New EU General Data Protection Regulation (GDPR) comes into force in May 2018, affecting all firms which store or process data belonging to EU citizens. Even if you’re a small business in the UK’s back and beyond, if you have any customers from Europe, this includes you.
Worryingly, recent data breaches suggest that businesses across Europe are failing to properly prepare. EMW Law, a specialist in the new regulations, estimates that just 29% of businesses have reviewed their practice ahead of the changes. If you’re one of the 71% that haven’t started yet, here’s what you need to know to avoid a potential fine.
Privacy and protection are key
The GDPR sets the expectation that privacy and protection will be at the core of your data systems. It calls for ’privacy by design’, which means protective measures must be built-in, not bolted on.
If you’re a company whose core work involves large-scale or sensitive data processing, you’ll also have to train up or hire a dedicated Data Protection Officer. It’ll be their responsibility to maintain thorough records and stay in touch with local Data Protection Agencies.
Consent is essential
Under GDPR, all firms must get consent to collect or process customer data. The consent can’t be slipped into the bottom of an email in tiny font or written in incomprehensible legal jargon; it has to be obvious, clear, and explain exactly why you need it.
Adapting to follow this rule could actually be good for your brand. A recent IBM global survey found that 47% of people want more transparency about how their data’s used and 38% expect clearer language. Being more open about your data collection could be a strong move, customer relations-wise.
Clients gain more control
80% of UK consumers view their data as their personal property. GDPR aligns with this sentiment by requiring companies be ready to provide all data to its owner in electronic format, or to erase it on request. Companies must also inform customers of data breaches within 72 hours.
Brexit doesn’t mean a break
44% of UK firms believe Brexit will exempt them from GDPR. The UK government has confirmed they’re wrong. If the UK stays in the EEA, GDPR will still apply to UK citizens. If it does not, businesses will need to meet their standards to trade with EU-based businesses or individuals anyway.
Preparing for GDPR does represent lots of work; at least 12 months according to EMW Law. Failure to comply won’t just risk lost clients. Breaches incur fines of up to 4% of turnover or €20 million (whichever’s highest). Time to crack on.