The General Data Protection Regulation (GDPR) is the EU’s new data protection legislation. It is designed to give people control of their personal data and simplify the regulatory environment for international business by unifying the regulation throughout the EU.
Currently, the UK abides by the Data Protection Act 1998, but this will be superseded by the new legislation which will introduce tougher fines for noncompliance and breaches of GDPR.
GDPR is a regulation and not a directive which means it will be applied automatically, without the need for a new legislation to be drawn up, when it comes into force on 25th May 2018.
GDPR isn’t new. It actually came into force on 24th May 2016, but businesses have been given until the 25th May to comply. Even though the UK is set to leave the EU, businesses will still have to abide by GDPR.
Whether you’re a ‘controller’ or ‘processor’ of data, you need to be GDPR compliant. GDPR applies to any business that stores or handles data belonging to EU residents. Whether it’s an email list you’ve been marketing to, postal addresses of your customers, data you’re capturing via web forms, data collection at events or a prospecting list you’ve purchased - GDPR will apply to you.
It is your responsibility to make sure that any data your business holds has been acquired lawfully and within the GDPR guidelines. All data must have been obtained with consent from the individual whose data you hold and any unsubscribe emails must not receive any further communication from you.
Firstly, don’t panic. Then draw up a list of all the data you hold. Ask yourself if you have a genuine need to hold all of this data. Asses if you can prove that you have acquired any data you hold with consent, and if you have a specific purpose for holding this data. If you’ve got old data for customers you haven’t contacted in years, now is the time to get rid of it.
Motionlab takes a firm stance on buying data - it’s not something that we advocate. If you’ve bought a list in the past, we would recommend that this is deleted, unless you can prove that it was lawfully acquired by your supplier.
Going forward, you will need to put measures in place to ensure that you can very clearly obtain an individual’s consent to collect and store their data, as well as explaining how you intend to use it - from the type of contact (email, phone, post) through to the frequency and nature of the contact you intend to have with them.
This can be done by introducing additional opt in fields to any web forms that you use to collate data or by creating opt in and data use boxes to any printed data collection material, you can contact any active email subscribers and ask them to re-opt in.
There have already been some hefty fines for companies who have misused data in the UK. But like with many laws, it’s all relative. Whilst small businesses have to comply, the fines for non compliance will be far lower than large corporations.
The ICO (Information Commissioner’s Office), which is the UK’s independent authority set up to uphold information rights in the public interest, will be enforcing GDPR in the UK - but it’s likely they’ll be focussing on the country’s biggest businesses in the first instance and will rely on internal resource of just 300 officers to implement GDPR.
Businesses that cannot show they have the right measures in place will be liable to pay fines. And if you don’t comply and contact someone unlawfully they are well within their rights to report you to the ICO, who will be obliged to follow up and investigate any complaint they receive.
So it’s not just the monetary risk that comes with not complying, companies could face a hit on their reputation when their non compliance is publicised.
We can ensure all your website forms and registration cover the appropriate opt-in to ensure you’re compliant and able to broadcast future marketing and sales communications.
Don’t just give the user the option to opt-in to all communications, provide them with a choice. Motionlab will help you to develop an opt-in process which provides the user with communications options such as by email, by phone, by post, by SMS. Furthermore we will allow a recipient to state what products or services they wish to hear about.
To ensure your data collection is compliant Motionlab is able to implement double opt-in which confirms that the person who entered their email address actually wants to subscribe to future communications.
Data Cleansing (or Data Scrubbing) is a key action when complying with the GDPR. Motionlab is able to support you with cleansing your data to identify and then removing or amending any data within your database which incorrect, incomplete, duplicated or unnecessary to hold.
Subject access is another compliance point which your business will need to adhere to. This essentially allows a user to request all information which you hold on them. Motionlab is able to develop a dedicated landing page which allows a user to request a report on the data which you hold on them, these requests have to be actioned within 30 days.
With fines being possible for any data losses it’s incredibly important for any business that their web applications and servers are safe and secure, therefore fully up to date with any security patches put in place. Motionlab is able to maintain your website if support is required.
Implementation of an SSL into any website is a must in today’s online world as it adds an extra level of trust and security. An SSL provides data security, site verification and verification of information.