Inc Direct discusses the EU General Data Protection Regulation (GDPR) and how your organisation can achieve compliance.
The new General Data Protection Regulations (GDPR) will determine how your organisation does business, and particularly how it manages, protects and administers personal data in the future. The GDPR will be implemented in 2018 and you need to start preparing now.
The European Union has approved tougher data privacy laws, and at more than 200 pages long, GDPR is one of the most wide-ranging reforms to be passed in years. Since the UK will still be a member of the European Union in 2018, organisations will need to adhere to the changes in the GDPR. These changes will be implemented on the 25 May 2018.
Why do we need the GDPR?
Personal data is being collected at an exponential rate and the data protection legislation needs to be updated to take account of this. These changes are being put into place to regulate what organisations are collecting this personal data for, how they use it and why they use it.
Penalties for breaching individual’s data privacy rights will also become harsher, with organisations facing fines of up to 4% of their total global turnover or 20 million Euros, whichever is the higher.
Who needs to take action?
Marketers will be required to get consent from individuals before using their personal data for most marketing activity. Specific and clear information will need to be given to consumers explaining what will be done with their personal data. Individuals will have the right to opt out of being profiled according to their interests and behaviour, unless they have previously consented to it or it is required under the terms of a contract with an organisation. If individuals object to their personal data being processed for direct marketing activities, it can no longer be used for marketing purposes.
Here are 12 steps you can take now to help you prepare for the GDPR
You should make sure that decision makers and key people in your organisation are aware the law is changing to the GDPR. They need to understand the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individual rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
You should review how you are seeking, obtaining and recording consent, and whether you need to make any changes.
You should start thinking now about putting systems in place to verify individual’s ages and to gather parental or guardian consent for the data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO (Information Commissioner’s Office) has produced on Privacy Impact Assessments and work out how and when to implement them in your organization.
11. Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
How we can help you
Inc Direct has vast experience in all aspects of data protection, privacy and the protection of personally identifiable information. We understand what is required when you are planning your Direct Marketing campaigns, and can advise you on all the necessary steps to ensure your next campaign will adhere to all the new regulations set out by the European Commission.
Email us on firstname.lastname@example.org or call us on 0208 344 6280 to request an appointment on how Inc Direct can help you in your next Direct Marketing campaign.