GDPR Basics: Is Your Business Ready?

You’ve probably heard the news; there’s a new acronym in town, and it’s an important one. The EU GDPR – or the EU General Data Protection Regulation – comes into force on the 25th May, and will affect the way that all UK and EU businesses handle customer data.

Despite the deadline rushing ever nearer, there are still many businesses that are not entirely clear on what GDPR will mean for them, leaving them unprepared and therefore potentially non-compliant with the new law.

Here we’ll cover the GDPR basics to help make sure you’re not caught out when the law comes into force.

What is GDPR?

In a nutshell, GDPR is a new set of regulations that controls how businesses store and process the personal data of their customers, and gives members of the public more rights on accessing the information companies hold about them.

All businesses that control or process the personal data of EU citizens will have to comply, no matter how big or small the company. So even if your company simply holds an email address book, you will need to take note.

By ‘personal data’ we mean any information that can be used directly or indirectly to identify an individual, including names, email addresses, photographs, IP addresses and credit card information.

The new EU GDPR is here to replace the previous Data Protection Directive which was set out in 1995. And, considering how much change has come about in the last 20 years, particularly when it comes to technology, it’s not surprising that the regulations have needed revamping.

So What’s New?

 A few of the key changes to be aware of include:

  • Under GDPR all businesses that control or process people’s personal data will need to have new or updated privacy policies, and some will be required to draft data protection impact assessments and appoint data protection officers (DPOs) depending on the scale of the data controlling and processing being carried out.
  • GDPR will demand that all cases of “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data must be reported to that country’s data regulator – which in the UK is the ICO (Information Commissioner’s Office) if there could be a detrimental impact on the individual whose data it is.
  • GDPR also brings with it two levels of fines for any infringements of the new regulations, which can be as high as €20 million, or 4% of the company’s annual turnover, whichever is higher.
  • Privacy policies will need to be updated to include a more accessible and transparent notice of data usage at the point of collection and consent.
  • Positive opt-in consent will be required for all data collection and subscriptions.
  • Under the GDPR, individuals can exercise their ‘right to be forgotten’, which that all data a business holds on them can be permanently deleted or transferred to another controller. This was not always possible under the previous data protection act.


Is My Business a Data Controller or a Data Processor?

Your business will be subject to the GDPR no matter whether it is a data controller or a data processor, but here’s a basic overview of the key differences between the two:

Data Controller: A data controller is defined by the ICO as ‘a person or business who determines the purposes for which and the manner in which any personal data is to be processed’. So if your company is directly responsible for the way in which customer data is used, you are a data controller. A classic example of a data controller is Facebook, which controls the use and processing of its billions of users.

Data Processor: A data processor is a person or business who holds or processes data on behalf of a data controller, but that does not exercise full responsibility for or control how that data should be processed. Classic examples of data processors include payroll companies and market research companies, all of whom use data provided to them by the data controller.

As is true under the previous data protection act, all data controllers will be subject to strict rules and liabilities when it comes to the use of personal data and the appointment of data processors. If your company falls under the bracket of data processor you are bound to comply with the rules laid down by the data controller, whilst also being under obligation to keep detailed records of all processing activities in order to demonstrate compliance.

Updating Your Privacy Policy

One of the most noticeable changes being introduced by the GDPR is the way in which privacy notices must now communicate to customers at the point of collection how their data will be used.

We’ve all seen privacy policies. How many of you have actually read one in its entirety? Us neither. They are notoriously complex and astonishingly lengthy (Facebook’s policy in 2010 was longer than the US Constitution), which are the key issues that GDPR is looking to tackle.

Under the GDPR privacy policies will still be lengthy, but they will also be required to lay out the most important facts in an easy-to-read, concise and transparent notice at the point of consent or data collection. This is to ensure that all customers have access to the most salient facts and will be able to understand exactly what will happen to their data, without having to read reams and reams of jargon.

Your new privacy policy MUST include the following points:

  • What sort of data is being collected?
  • Who is it being collected by?
  • How and why is it being collected?
  • What will it be used for?
  • Who will it be shared with?
  • How will this affect the individuals concerned?


Privacy Policies: What Not To Do

If you’re reaching for the copy and paste keys, stop right there. Copying and pasting privacy policy templates from the internet is disconcertingly common practice among smaller businesses, which perhaps don’t feel they have the time or the know-how to draft their own.

Do not fall into this trap.

While a privacy policy template is a useful tool in getting you started, it is not enough on its own. Every company has different goals, which means every company will use its customers’ data in a different way for varying purposes. Under GDPR, any company that does not explicitly state the manner in which data will be collected and used will be non-compliant with EU data regulations, which could result in a huge fine.

Take the time to draft a detailed and clear privacy policy that addresses all the above points; the alternative isn’t worth the time saved by copying and pasting.

Consent and Granular Opt-Ins

One final element of the GDPR that will change the way you collect customer data is consent. Gone are the days of pre-ticked consent boxes and default consent. Every element of data collection must be done through positive OPT IN means, giving your customers full control over what data you can collect from them and how you can use it.

For example, if you offer a subscription service on your website and you want to collect several different types of data (email addresses, names, images etc) you must offer a positive opt-in consent box. If, in addition to this, you want permission to send your customers additional information and/or share their personal information with third parties, you must have separate, granular opt-in boxes available that clearly explain what will happen at each stage. Blanket consent and vague descriptions will not be tolerated under the GDPR, so don’t be tempted.

This article has covered most of the basics when it comes to the changes the GDPR will bring come the 25th of May, but there is a whole lot more to it. For an even more in-depth guide to the new regulations, head over to the ICO website.