On 25th May this year the General Data Protection Regulation (GDPR) will come into force in the UK. This marks a seismic shift in the landscape of individual data protection and has been designed to give consumers more control over their information. It will mean that individuals have a lot more rights when it comes to how their information is collected and used – and it also requires any business that is using individual data to ensure that its processes are compliant. But what does this actually mean for customers who disclose personal data – and for the businesses that want to work with it?
What does GDPR mean for business?
Rather worryingly, the Federation of Small businesses conducted a survey of its members and identified that only around 8% of them feel ready for changes. In addition, only a third had begun to put measures into place to ensure GDPR compliance. Many said that they simply didn’t understand what was required of them and that the scope of the GDPR is so broad that it could cost up to £10,000 to make the required changes. However, the new rules introduced by the GDPR don’t just set a new standard of data protection they also usher in a new era of enforcement too. Any business, no matter how small, that isn’t GDPR compliant could face fines of up to €20 million or 4% of turnover. So, what are the key areas of the GDPR that businesses need to note?
- The need for better consent. The GDPR requires that businesses have user consent in order to store details and data about them. This consent must be clear, well informed and unambiguous, as well as given by affirmative action. That means that it’s no longer acceptable to scrape data from websites or to pre-tick consent boxes.
- Consumers can revoke consent at any time. Where a user revokes the consent they have given to a business to use and store their data this needs to be actioned in a timely way, which could present a significant issue for businesses that just don’t have the systems in place to do this.
- Buying marketing lists is no longer an option. Compliance with the GDPR presents big challenges for businesses looking to market to a new audience because cold calls and buying marketing lists will mostly be unacceptable. Instead, it will be necessary to establish that the consumer really wants to hear from the business and what it is that they want to hear about.
- Data security now needs to be inbuilt. There are many new provisions that apply to the security of data that is in the hands of a business. Perhaps one of the most potentially problematic is the requirement to notify if there has been a security breach. Now, businesses have just 72 hours to do this. The very public nature of notification could create some real issues for small businesses reliant on customer trust to grow.
What does GDPR mean for consumers?
Particularly in the light of the recent Facebook and Cambridge Analytica scandal, there is a lot of focus right now on what happens to consumer data after we hand it over. But what is the GDPR really likely to change for consumers?
- The right to be forgotten. Consumers who don’t want a particular business to continue to have information about them can ask for all of it to be deleted.
- More privacy transparency. For example, businesses can no longer use complex and hidden privacy notices to bamboozle customers about what really happens to their data, as the GDPR requires that it’s all set out clearly and simply in black and white.
- The right to access data. Consumers can request that a company reveal all the information that they hold on that individual. This used to be something that businesses charged for but with the GDPR it’s an action that will have to be completed for free.
- The right to object. Consumers will have more right to object to their data being used for direct marketing – and this is something that the businesses using the data have to highlight to their customers.
- The necessity of opting-in to communications. Because there are new and much stricter requirements for businesses to obtain proactive consent from consumers to communications, this should reduce the amount of unwanted communication received. Once the GDPR is in place businesses won’t be able to add customers to a mailing list just because they make a purchase, for example, unless there has been explicit and specific consent.