Are you confident you’ll be compliant by May?

The biggest change in data laws the UK has seen in the last 20 years, the EU’s General Data Protection Regulation (also known as GDPR) is less than 5 months away.

This legislation replaces the current Data Protection Directive 95/46/EC, which aims to sync all privacy laws across Europe and protect EU citizens data privacy and regulate how companies use this information for marketing purposes.

You may be thinking, yawn.

However, when a letter asking for £500,000 million (or up to €20 million) comes across your desk, your jaw may slam shut. For a little peace of mind, the ICO has never issued a fine over £400,000 (what a relief, hey?).

If you’re thinking, they won’t get around to doing any harm before the UK leaves the EU in March 2019 – think again. GDPR is coming for the UK, despite Brexit.

While the impending GDPR deadline has been whispered around the EU since 2015, many companies and individuals haven’t actually acted on it. It has been recorded by the Direct Marketing Association (2017), that only 54% of businesses expect to be compliant by the deadline.

Founder and Strategy Director at Let’sTalk Strategy, Jenna Tiffany, delivered a first of its kind session on GDPR at UnGagged London in June 2017. Bringing to the stage her insider knowledge, Jenna revealed to attendees how they can prepare for this data protection act, and what steps to take to excel their marketing strategy accordingly.

UnGagged is returning to London again in June this year, and the GDPR is assured to be one of the hottest topics to be discussed at the event; just a mere month after the legislation is implemented… your company can’t afford to miss out on the advice shared.

Here’s what we learned…

  • What is GDPR?
  • Key Features of GDPR
    • The Individual’s Privacy Rights
    • The Organisation’s Obligations
  • What level of compliance is necessary for your company?
  • Key Steps to Take

What is GDPR?

General Data Protection Regulation (GDPR) commences on the 25th May 2018. By this date, EU and non-EU companies that process European citizen’s data have to already be GDPR compliant. GDPR aims to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy” (EUGDPR.org, 2017).

What are the individual’s privacy rights?

  • Valid consent – which is freely given, well informed and unambiguous
  • Transparency – all collecting and processing information is clearly understood
  • Correction – ability to amend inaccurate data
  • Right to be forgotten – obtain the right to ask the data collector to erase all of his/her personal data which he/she has provided to the controller
  • Data portability – can move personal data from one service provider to another
  • Automated Processing – not subject to a decision based solely on automated processing

What are the organisation’s obligations?

  • Accountability – a record of all data processing activities required to be maintained
  • Data Protection Impact Assessment (DPIA) – mandatory condition if the outcome of any processing activity is likely to result in a high risk to the rights of individuals
  • Data Security – technical and organisational measures are taken to ensure personal data is kept secure
  • Data Breaches – as soon as the organisation is aware of the breach, it is their responsibility to notify all customers, controllers and stakeholders within 72hrs
  • Data Protection Officer (DPO) – a DPO directs and oversees all data protection activities within the organisation
  • Data Transfer – data transferred to the EU, is only allowed if the necessary safeguards are in place

What level of compliance is necessary for your company?

Depending on the size of your company and the level of impact the GDPR will have (for example, it will vary for companies dealing with profiling and children’s data) will determine the severity of GDPR compliance. A comprehensive understanding of what the GDPR is and how it can be applied to the context of your business is essential. To achieve this, you could turn to professional auditing, or seek out a specialised legal consultant to assist you in achieving compliance.

What steps can I take to ensure I’m GDPR compliant?

  1. Investigate your current level of conformance to the DPA/GDPR
  2. Identify gaps that are preventing compliance
  3. Analyse the standard of your information security management system (ISMS) against an internationally accepted standard, such as ISO 27001
  4. Identify Private data
  5. Protect data with DLP
  6. Document your DPA/GDPR and information security policies
  7. Perform audits
  8. Undertake a GDPR staff awareness training
  9. Prepare steps you would take if you suffer a data breach
  10. Appoint a data protection officer (DPO)

Need to know more? Are you confident your company and marketers are GDPR compliant? Check out UnGagged on the 11-12 of June, 2018 for actionable strategies and advice.

Make the most of the Super Early Bird Sale ON NOW to get the best price offered this year!

First published on October 5, 2017.