The Data Protection Act has been governing what businesses can and can’t do with the personal information of their customers since 1998, but that’s all due to come to an end soon; really soon. Next year in fact.
But it’s being replaced by the ” General Data Protection Regulation (GDPR)”. General Data Protection Regulation will come into effect on 25th May 2018.
When one act is replaced by some other regulation, most people don’t tend to pay too much attention – and a lot of the time, I understand why – but this is a big deal. A really big deal. The reality is, many businesses aren’t even compliant with the current act (which is a problem itself), but the new regulations carry with them some hefty fines (maximum penalties maybe 4% of annual global turnover or up to €20m (whichever is higher)!), so it quite literally pays to be in the know here.
Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now
The awesome folks over at the ico. put this guide to the 12 steps to take now if you’re preparing for the GBPR. These key 12 steps help guide you through what you need to have in place before the regulations come into effect.
As a quick reference guide, I’ve summarised these key points from the above.
Organisations will have to be able to demonstrate compliance through the use of policies and procedures, staff training, audits and the use of “Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. pseudonymization of data. Records must be kept of data processing activities, except in limited circumstances (eg: fewer than 250 employees and no sensitive personal data is processed)
What do I need to know about the GDPR for my business?
As you can imagine, all the regulations are important, but a few takeaways that you should definitely have on your radar.
- If you’re handling personal information about your customers, you need to be thinking about an SSL certificate for your website. This encrypts information that is sent to your site from your customer’s computer so it can’t be intercepted (think of what you look for when you’re entering your credit card information into a website (https), this is delivered using an SSL certificate).
- If you’re using tick boxes to allow your customers to opt into your marketing emails – awesome, well done. But if you’re pre-ticking those boxes so customers have to untick them in order to not receive emails, that needs to stop.
- If you’re sending emails to customers and you’re revealing their email addresses in the TO or CC fields of your emails, that needs to stop right now (that’s already a no-no), but the penalties are looking to be much more hefty with the new regulations.
There are a few things to be aware of, but you know what, as with most things, it’s mostly common sense. Consumers don’t want to be pestered with marketing materials, they want to opt-in to those that they want. If you’re sending people stuff that they don’t want, you’ve probably made a pretty bad marketing decision somewhere along the way anyway.
These new regulations, while raising the game when it comes to penalties, also raises the bar for standards. And I can’t help feeling that is a good thing.
If you’d like to stay up to date with the latest about the GDPR as we discover more about it’s implications to businesses like yours, and lots of other useful and cool stuff, sign up to our free emails to be the first to get to know about updates.
