Have you heard about the new piece of European data regulation that will become law from 25th May next year? The General Data Protection Regulation (or GDPR for short) and was adopted on 27th April 2016. It will replace the current Data Protection Directive and is designed to strengthen data protection for EU citizens.
GDPR becomes law on 25th May 2018
Whilst the core objective of this new regulation remains similar to what’s currently in place, membership associations must take notice. That’s because as a result of consumers gaining more rights, businesses will face tighter obligations.
And with heavy penalties for those who fail to comply, it’s important you make the time to ensure you’re ready. So to help, I’ve put together this article in the form of a Q&A. It contains an overview of what you need to know about the GDPR along with some simple steps you can take to ensure your association is ready for 25th May 2018.
1. What’s the purpose of the GDPR?
In a nutshell, the GDPR is designed to strengthen consumer’s data protection rights whilst making data security law uniform across the EU. That’s because this key piece regulation covers how personal data is captured, controlled, and ultimately used.
You could argue this change has been coming…
As you know, it’s become easier and easier for companies to capture data for marketing and other business activities. This has created huge opportunities for businesses in terms of sales, market research, and relationship building (to name just a few). The business benefit is clear. High quality consumer data is a key asset for any business.
But as data collection has become more commonplace, consumers have become more sceptical about why their data is needed, how their data is used, who owns it, and who gets access to it. Add in cyber security and the threat of data being stolen when systems are hacked, and consumers are right to be concerned about the safety of their personal information.
Hence these new regulations…
That said, there are some business benefits too. With the introduction of this uniform EU law, member states will no longer be required to write their own data protection legislation. As a result, this new regulation could help simplify cross-border trade, making it useful if your members are located across the EU.
2. What is classed as personal data?
You may be surprised at the broadness of this term.
That’s because ‘personal data’ covers everything that can be used to identify a person including their IP address, an email, a photo, bank details, social networking posts etc.
As a membership association, you will hold a significant amount of personal data. From bank details, to payment information, and contact demographics, personal data is at the heart of your day-to-day business activity.
3. How does the GDPR differ from existing regulations?
Whilst data protection remains at the core, here are four significant differences.
More geographical scope: The GDPR will extend the jurisdiction of data protection laws. As from next year, if you collect data from EU nationals – even if your organisation is located outside the EU – these regulations will apply to you. As a result, many more companies will be required to apply.
Fines: Under the new regulations, the maximum fine for non-compliance can be up to 4% of global turnover (or €20 million – whichever is the greater figure).
Consumer consent: Companies must be clear and upfront as to the reason why they want data. What’s more, consent must be requested in a clear and comprehensible way. Finally, companies must make it so that consumers can withdraw their consent just as easily as they can give it.
Requirement to reporting data breaches: Under these new guidelines companies will be required to report details of data breaches to their Supervisory Authorities within 72 hours of a breach being discovered.
4. Does the GDPR apply to you?
All companies that sell to the EU must adhere to this regulation – regardless of the geographical location where the business is located. So if you collect data from EU nationals, this new piece of regulation is relevant – even post Brexit.
That said if your business operates solely within the UK, this position could change when we leave the EU. However, it’s likely you will still be required to review your systems because the UK government has suggested it will implement something similar or equivalent in the future. (Source. EUGDPR.org).
5. What are the consequences of not adhering to the new guidelines?
Non-compliance is NOT an option! That’s because companies that fail to meet these new obligations could face penalties and steep fines. The fine system is tiered, but the most serious infringements (such as insufficient customer consent), could lead to huge fines.
6. What do we need to do as a company to become GDPR compliant?
Firstly, it’s important to start now.
Sure, there’s still a little under a year to prepare, but you know how quickly time flies! With the threat of big fines, you don’t want to get caught out with systems and processes that don’t comply with the new regulations. That’s the biggest issue here…
Theoretically you can wrap your head around your new obligations quite quickly. What’s going to be more challenging is ensuring you have the required systems and procedures in place – all trialled and tested for that May 2018 deadline. And if your existing system is not GDPR compliant, you’re going to need time to migrate to a system that is.
To Do List
To help you prepare, here’s a list of actions to consider to get the ball moving:
If you have a legacy system, check your current provider has a grip on GDPR and its implications. Evaluate internal policies relating to data protection to identify what needs to be reviewed, addressed, and updated. This will take time to complete, so it’s best to start now.
With the help of an expert, identify what changes and upgrades are needed to your IT systems before next May. Decide how you’ll word your privacy notices to ensure they adhere to the enhanced rights of EU consumers come May 2018. Review your data collection procedures to ensure you let consumers know why you’re requesting their data. This moves to an Opt-in process rather than Opt-out. Assess your data security and identify the enhancements necessary to ensure compliance with the new regulations. Remember, there are heavy penalties if you fail to adhere to the new guidelines.
Determine the origin of your data and ensure you have compliant systems in place to capture consent. Check your procedures for reporting data breaches as per the new guidelines. Determine whether or not you need to employ a data controller to help you comply with these new regulations. As you can see, there may be a lot to do. So if you run a membership organisation and your legacy system isn’t GDPR compliant, let’s have a chat, before it’s too late.