In the last few years you would have heard about the growing use of data collection, which is allowing brands and organisations to track everything you do online and offer more tailored, targeted and personalised products and services than ever before. The benefits of this to the consumer may be obvious, but raise many ethical questions, and not just when personal data is in the hands of unscrupulous businesses.
It’s been clear for some time that data laws need to change and will be changing – but quite often the terms in which this is discussed is vague, sensationalist or highly technical. We’ve created a simple guide for those who want to know more about what the new regulation is, and what its impact is likely to be.
What is GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK. The law aims to give citizens more control over their data and to create a uniformity of rules to enforce across the continent.
Why should businesses care about GDPR?
Although this law comes from the EU, it will have a global impact. It will affect any business holding personal data on customers, prospects or employees based within the EU, and such businesses need to be preparing for the change now. If businesses ignore this law, they can be fined up to €20m or 4% of their global annual turnover.
Giant fines aside, it’s worth remembering that data protection is more than a compliance issue. Customers care about their privacy and expect businesses to respect that. It’s good business sense to demonstrate that you ‘get’ this cultural aspect, as well as the financial one.
What are the new rules?
The rules are very complex, but our advice is not to be overwhelmed by them or to see the GDPR as your enemy. If you build the rules into your organisational culture rather than being tyrannised by them then they will help you manage data more effectively, internally and externally.
The rules can be seen as following 6 themes (as outlined in the infographic here)
- Know what you have, and why you have it
- Manage data in a structured way
- Know who is responsible for it
- Encrypt what you wouldn’t want to be disclosed
- Design a security aware culture
- Be prepared – expect the best but prepare for the worst
What is the impact on businesses?
The impact for businesses will undoubtedly be huge. The new rules will need businesses large and small across the globe to transform their policies, structure and personnel to ensure compliance and adherence. Data protection and security has to be built into the fabric of organisations and not farmed out or siloed. So while your security and compliance people should be very concerned with getting the detail right, every other colleague should care about and be aware of the principles, at every level and in every discipline.
However, as noted above, if businesses and organisations see this as an opportunity to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data this cannot be a bad thing. This will be particularly true if it enables stronger relationship building because it potentially offers the basis for more equality and trust between businesses and their customers.
What does it mean for the consumer?
While many consumers may not be aware of the change, many will begin to notice some differences in how businesses and organisations communicate with them. Privacy notices will be more transparent, consumer rights will be upheld and publicised, and news about data breaches will travel faster and be harder to cover up. It may seem to some consumers that data is less secure after the change simply because the volume of news on it will increase. While they may be concerned about this, they will also be reassured by the sizeable fines for unscrupulous and sloppy data management.
What to do now
Our view is that, in addition to making sure the results of the regulation improve customer experience, this is a great opportunity for businesses and organisations to think about how they develop data protection into a lifestyle, how it is embedded into their day-to-day culture. This is the ideal time to review employees’ attitudes and understanding of data protection and identify insight that will help organisations create strategies and plan for a smooth transition to the new structures and processes necessary for effective adherence to the GDPR.
Talk to us about how we can help your business get ready for GDPR and improve your overall data security and business continuity.
In the meantime, here’s some further reading. We found the following resources and articles helpful in preparing this piece:
- The GDPR in full
- The elephant in the room – what the GDPR means for business (and what the penalties are for not adhering to it)
- A dummy’s guide to the GDPR
- Another dummy’s guide to the GDPR – America focused, what it means to US companies
- The Register on how Brexit impacts the GDPR for UK businesses (hint: it doesn’t)
- Infographic on what the new rules are and what organisations have to do to adhere
- The good, the bad and the ugly of GDPR
- How the GDPR will affect consumers