Is your business prepared for GDPR?

Aside from the Royal Wedding of Prince Harry and Meghan Markle, the other seismic event is when GDPR takes full effect on May 25th 2018 and B2B and B2C businesses will need to fall in with brand-new data processing laws.

I’m still digesting Brexit - do I really need to know about GDPR?

Yes. UK businesses must still comply. Once a date is set for leaving the EU there will be a 2-year transitional period when we have to blend with EU legislation - including GDPR. After that, it’s expected we will become a ‘white-listed country’ allowing us to share data across the EU.

So what’s GDPR in a nutshell?

The General Data Protection Regulation will hand power back to the people about their own data and unify data laws across Europe, so we are all singing from the same data rule sheet.

Okay, why now?

It’s the largest re-organisation of IT legislation the marketplace has seen; an overhaul to bring regulations up-to-speed with the technology and data storage, which have outpaced them over the last 20 years.

What do I need to do to ensure a long term and stable relationship with GDPR?

You need to have a data ‘spring clean’: from data on your customers collected through CRM, to information on your suppliers and business partners, down to data on colleagues within your own organisation held in filing cabinets, text messages and Post-It notes in desk drawers. As with any spring clean, you need to sort out old, incorrect or incomplete data.

Given the widespread nature of this data, the responsibility for GDPR compliance should rest with each department, so it’s an ideal opportunity for a company-wide refresher in terms of training and attitudes towards data.

Privacy by design – which ensures projects are build around privacy and data protection as a central principle from the start, rather than added retrospectively – will no longer be considered the gold-standard, but expected as standard. And GDPR’s accountability principle requires you to document your compliance every step of the way.

GDPR – it’s all about getting to know you.

Get to know your data: where you got it from, who you share it with, how and where you store it and for how long. How does data flow through your company from source to end? If it leaves the EU, you need to transfer it in an approved manner and notify the data subjects affected.

Be fully cognisant of how data is collected, stored, processed and importantly transferred to 3rd parties. Structure your data and know who is responsible for it. Organisational measures need to be firmly in place that are regularly monitored, tested and updated. Ignorance is not an option.

The privacy policies on your website will need to be reviewed and updated. A pre-ticked box, silence or inactivity will no longer constitute valid consent. Consent needs to be transparent and freely given, it also needs to be verifiable. Businesses need to keep clear records of when and how consent was given, so they can prove consent if they depend on it for processing data. Documentary evidence to demonstrate on-going accountability and confirm compliance is critical.

Okay, so I have all my data in order, what else?

Safety measures. Ensure you have the right technology for keeping data safely, backed up and encrypted. Define the dangers at each stage of data collection, storage and sharing and create controls around them.

Systems and software should be brought bang up-to-date. You need to create a security-aware culture within your organisation.

I hear the GDPR regulations are 90 pages long and contain 80 different articles. Can you make it short and sweet?

Yes. GDPR can be distilled down to twin tenets or two words - transparency and accountability.

Transparency means being able to provide the correct information at the right time, for example, the source of each of your customer’s personal data as well as their written consent agreeing it can be used for marketing purpose.

Accountability means that you can prove everything you have done to ensure compliance.

There are two main roles for compliance; that of controller and processor. What’s the difference?

A controller is the body which defines the purpose of processing data.

The processor is the agency processing the data on the controller’s behalf, for example, a data centre.

Controllers need to be abreast of security measures their processors use in the form of written contracts, not having these could result in a fine. In the case of a security breach, protocol has changed: the processor must inform the controller who must alert the authorities and in certain instances, contact the individual themselves.

Data gets personal.

It is possible that an individual could ask to see their personal data, correct any errors, ask for it to be deleted or even transferred to your business rival.

Personal data means anything that could identify you in your personal, public or professional life from your name, address and mobile device ID, to location, IP address or company email.

Under GDPR ruling business and private customers are treated the same, so both B2B and B2C companies could be liable if an individual wants to make claims of damages.

Can I use this to show my customers some love?

Absolutely. This is your opportunity to court your customer, show you are motivated by customer care and you want to protect, not exploit, their data. It’s a chance to prove to clients you are responsible, reliable and respectable.

What if I’m not much of a romantic?

Well the hefty fines should keep you in line. Non-compliance could mean you are fined up to 20 million euros or 4% of your annual global turnover with this maximum fine reserved for more serious violations such as processing data with insufficient customer consent. Lesser 2% fines can be levied against companies for failing to inform a data subject or the supervising authority of a breach, or for neglecting to have their records in order.

If that doesn’t motivate you, then the reputational damage caused by the name-and-shame mechanism or the regular audits that can be imposed, might get you more in the compliance mood.

Of the 39 possible breaches of GDP, a grand total of two pertain to security. The other 37 refer to compliance. And of the breaches capable of incurring the higher level of fines, most relate to issues that are the controller’s responsibility as they have more contact with data subjects.

Does GDPR give me chance to land a leading role?

Possibly. It’s good news if you see yourself as a Chief Data Marketing Officer, Chief Privacy Officer or Data Protection Officer as the European-wide market is 33,000 short of these jobs.

Tell me more about PIAs – are they a type of B2B prenup?

Yes, sort of. Under GDPR, Privacy Impact Assessments (PIAs) act as an early detection system that assess and address privacy risks to your project and they will be obligatory for certain types of processing. Like a prenup, PIAs act as damage limitation in terms of both cost and reputation and will be considered best practice when launching a new service or marketing campaign, adopting new systems or policies, or outsourcing services to a third party. The obligation to conduct PIAs rests with the data controller and should be carried out before the processing commences.

Feel as though you need a Business Fairy Godmother or you’ll never get to the GDPR Ball?

Regulation moves quickly and technology even faster. There is a competitive advantage to being ready for the GDPR - and heavy penalties if you are not.

Retailers take heart. Redbox’s knowledge and expertise will navigate you through the minefield of GDPR and bring you bang up to speed, ensuring you and your ecommerce platform are proficient, primed and perfectly prepared for the GDPR Ball.

Will there be a happily ever after?

Yes. With careful planning and preparation, with policies and procedures firmly in place, you should be ready to welcome GDPR with open arms. And like the happy union of Prince Harry and Meghan, this could be the start of a beautiful friendship.