Is your business prepared for the upcoming GDPR legislation?

Three months ago, I wrote an article about the new General Data Protection Regulation (GDPR) legislation and how it would have a major impact on the way companies collected personal data. The article highlighted some of the issues facing organisations and how it could potentially result in hefty fines being given if the new rules were not adhered to.

With GDPR coming in to force on 25 May 2018, businesses have a little over 8 months to fully familiarise themselves with the most important change in data privacy in the last 20 years. In fact, the legislation will be incorporated to all businesses within the European Union – and even though the UK will be leaving the EU, GDPR will still affect the UK, as it comes into force before 2019.

We mentioned previously how personal data can only be held with explicit consent from the subject – resulting in direct marketing essentially going from an opt-out rule to an opt-in one. Such a change would therefore completely alter the way businesses conduct their marketing and sales strategies.  In summary, this would heavily impact on the marketing department because the biggest change will be the new opt-in permission rules for customers.  All current data held by an organisation is going to require auditing against new standards and if it doesn’t comply, it would need to go through a process that will gain additional consumer consent.  Additionally, the user also has the right to withdraw that consent at any time, which you as an organisation must follow. Failure to do so will not only cause reputational damage to your company, but also leave a large hole in your organisation’s finances. Depending on your company’s financial situation, if you were to be hit with one of these fines, it could even lead to insolvency.

Now let’s get to the numbers and look at why the seriousness of insolvency could threaten your business should you fail to comply with the new legislation. The most alarming aspect for not complying with GDPR legislation is of course the large fines for non-compliance. The fine structure will be split in to two tiers, tier 1 and tier 2. Should your organisation suffer a data breach, it must be reported to the UK’s Information Commissioner’s Office (ICO) within 72 hours. Should you fail to report this to the ICO, substantial fines could be imposed. This could result in a fine of up to £17.25m or 4% of global annual turnover, depending on which is greater in the most serious of breaches. The second tier, although deemed more lenient, still carries a £8.6m fine or 2% of your previous year’s global turnover –  again, depending on which is greater.

Under GDPR, a number of businesses will be required to appoint Data Protection Officers (DPOs). This includes those who deal with public authorities and organisations whose core activities consist of processing sensitive personal data on a large scale. The DPOs will be essentially ‘policing’ an organisation’s data collection methods and ensure they are fully compliant with GDPR. In addition, the DPO will also act as the main contact with the regulatory authority in the event of a data breach.

In summary, legislation improves the protection of individuals – particularly in relation to the processing and use of personal data, handing individuals more control in the process. Therefore, we cannot stress the importance of familiarising yourself with the new GDPR legislation in advance, to avoid any potential hiccups once the legislation comes in to full effect. It is important to understand as well that the legislation has been set up so that organisations only hold and process data they absolutely need. GDPR essentially introduces ‘privacy by design’ which means that for the designing of all new systems, data privacy measures must be built in from the start, as opposed to being added in at a later date.

Ahmed Ali

Marketing & Practice Development Executive 

All contents Copyright © PCR (London) LLP unless otherwise noted. None of the elements on this website may be reused without permission.