News and views
Is your business GDPR ready?
Mandatory data protection requirements are changing. New regulations will affect the way we all collect, store, manage and utilise personal data, creating a need for all companies, charities and public sector organisations to comply with strict new rules by 25 May 2018.
Wave has been busy putting in place the new data requirements stipulated under EU General Data Protection Regulation (GDPR) legislation for some time, ensuring that the way we gather data, hold it securely and communicate with our customers is compliant. However, many SMEs are not aware that GDPR is coming or are confused about how it will affect them. If you’re not ready, you need to start preparing now to meet the deadline in just four months’ time.
The good news is that there is clear guidance out there and time remaining to make the changes required for GDPR compliance. The Information Commissioner’s Office (ICO), the independent authority that protects the way data is used, has created a suite of resources available on its website, including the information SMEs need about how GDPR will affect them and the steps needed to comply. These resources can be accessed at https://ico.org.uk/for-organisations/business/ and there is also a helpline specifically for small businesses and charities on 0303 123 1113 (select option 4).
It’s important to understand the facts and get ready for GDPR, not least because there has been a lot of rumour and misinformation on the subject, leaving many SMEs under the impression that the new rules won’t affect them. However, GDPR affects all organisations that hold and process personal data from any citizen in the EU (regardless of your own location), which includes customers, employees and suppliers as well as any new business database you may have.
While GDPR is EU-wide legislation, designed to harmonise data protection requirements across member states, the UK Government has made it clear that we will adopt the requirements into British law following Brexit and the 25th May deadline is the same for all current EU states.
It is the largest shake-up of data protection law for a generation, tightening the rules for how we gain consent for acquiring, holding and using personal data. It places greater emphasis on secure management of data, imposing greater penalties for non-compliance, misuse of data or failure to protect it. Indeed, the maximum penalty for organisations in breach of GDPR is €20million or four per cent of annual turnover; whichever is greater.
Under the changes, even smaller organisations that routinely process personal data or process ‘special category data’ must appoint a data protection officer (DPO) with responsibility for ensuring the way data is collected, stored and utilised is compliant.
The new rules mean big changes for many organisations. However, they also represent an opportunity to tidy up old data which may be inaccurate, outdated or no longer relevant to your company. Your commitment to GDPR compliance will demonstrate that you care about your customers’ data and that they can trust you to protect it. It may even help you save time and resources by focusing your attention on customers and prospects who are genuinely interested in hearing from you, rather than communicating with people who are simply on your database.
The challenges and benefits will depend on the nature of your organisation, the structures and processes you already have in place to manage data and the resources you put in place to achieve compliance. One thing is certain, however. There is no option for avoiding GDPR and you will need to ensure that it’s embedded in the way you manage every aspect of your business and fully-supported by every member of your team at all levels.