Only 9 months until GDPR. Are you ready for the EU’s new data protection laws?

General Data Protection Regulation comes into effect on the 25^th May 2018 and will bring a new far stricter set of data protection regulations that will apply to any company seeking to trade in the UK or the EU. It also brings new heavy fines for breaches – up to €20 million or 4% of global turnover (whichever is greater!). Here is what you need to know to get your company ready for GDPR:

1. What is personal data – data is now to be defined as anything that can identify a person. This is not just a name, address or telephone number, it can also be their social media accounts, IP addresses, internet history, location data, shopping habits and much more especially when combined with other equally innocent looking pieces of data.
2. You are always responsible – whether you are the brand owner, an agency processing data on behalf of your client, a fulfilment company sending out direct mail, an international company based outside the EU or anything in-between, if there is a breach all of you are liable. This means you must review the policies of both your clients and your suppliers to ensure they are GDPR compliant and that all parties have strict contracts in place about how they use, collect or store consumer data.
3. Consent – must be positive and freely given. This is the end of “opt out if you do not wish to receive” boxes. Consent should be in plain language, is for the time being only, not for ever and should clearly express what you will use the data for. If your data has not been gathered in this way, as most currently is not, then continuing to use this data or even possibly even just storing this data, will be a breach post May 2018.
4. Breaches – if you lose any data or suffer any other type of breach you now have just 72 hours to notify the ICO and those affected (clients, consumers, suppliers, staff etc.) by the breach. This could be the hardest part of GDPR as it will require being able to spot or monitor breaches, as well as identify who they have affected, very quickly. With so much data still held on individual machines and no central access or register, it is important to introduce new policies on who and where data can be stored in the future to avoid these risks.
5. Right to Access and the Right to be forgotten – the need for a single company database is reinforced by the need to comply with these new consumer powers: the right to access my data (what do you hold on me and how are you using my data) and the right to be forgotten (I want you to delete my data from all your systems). For a company without a central database this will be almost impossible to comply with, there is always the risk of a rogue file on someone’s computer. For the future, you will need to have systems in place that tracks every piece of data, records where it is stored and how it is used.
6. Privacy starts with internal policy –  the new laws will affect every part of the business and so new policies may need to be in place before GDPR to correctly guide employees on their responsibilities. Although putting polices in place is one step towards protecting your liability, training and checking they are followed is the only sure way to stay compliant. A policy that isn’t followed isn’t a policy.
7. The time to start was yesterday – the first draft of GDPR were published in May 2016 so “that there has not been enough time” is no excuse .

PromoVeritas are experts in compliance. We have been working for 15 years to mitigate risk, provide understanding of the law and write policies that protect you from harm.

With GDPR in mind, we have put together a comprehensive set of services designed to help you to be both knowledgeable and compliant. They apply to anyone who obtains, stores or uses data, whether they are an agency, a brand, UK based or international.

To find out more about our GDPR services contact us on +44 203 325 6000 or email info@promoveritas.com