General Data Protection Regulation (GDPR) is a data privacy law that holds companies accountable for the use and processing of personal data. Enforceable from May 2018, the law is designed to give individuals more control over personal or sensitive information companies hold. GDPR applies to every organisation which processes the personal data of EU citizens irrespective of location.
What is personal data?
Personal data is any information that could be used to identify a person. Under GDPR, there is a broad scope for what could be considered personal data ranging from a name, number, location, IP address, to special categories such as race, sexual orientation or political beliefs.
In order to comply with GDPR legislation, organisations must:
1. Have a legitimate reason for processing data and obtain consent from customers for the processing and usage of their data.
2. Give users the right to access or delete their data upon request.
3. Ensure data collection systems are compliant with GDPR security protocols.
4. Report security breaches within 72 hours to both customers and the supervisory body.
5. In most cases, appoint a Data Protection Officer to ensure companywide compliance with GDPR requirements.
Organisations that fail to comply with GDPR can face heavy fines of up to 4% of their annual turnover. Over the past year the UK’s Information Commissioner’s Office (ICO), has levied fines against companies or individuals found in breach of the legislation. For example, Bounty UK Limited, a pregnancy and parenting club was fined £400,000 for illegally sharing personal information collected for membership registration.
GDPR can be complex and difficult to comprehend. But it is important that organisations understand the different facets of the legislation and how it applies to their business operations. At Kazient, we draw on our expert knowledge to provide the best guidance on the right course of action for your organisation. For instance, when the GDPR law was enacted in May there was a question about the legal basis of processing the data of existing customers. Many companies sent emails to their entire database asking for opt-in consent to receive future marketing. In lieu of our expertise, we advised our clients that this was not necessarily the best approach. Instead, we suggested for them to ask their customers if they would like to opt out of having their data processed this way. In the former, companies found that no more than 7% of respondents gave their consent- wiping out 93% of their database for future marketing. Whereas the companies we advised found that 2% opted out, with 98% of their customers allowing their data to be used by the company going forward. Seek the expertise of data protection consultants for your organisation to determine the best course of action in complying with the regulation.
If you would like some help with your GDPR compliance or to book a free initial consultation worth £499, email firstname.lastname@example.org