Insight

GDPR Q&A: Everything you need to know

The new General Data Protection Act (GDPR) that is coming into force on 25 May 2018 has raised plenty of questions. With the legislation looming over the marketing industry, many companies are still unclear about what they need to do to comply, when they need to do it, and how.

Here, we have distilled the key points into a handy Q&A, to help guide you through the changing landscape:

Firstly, what is the GDPR?

It is an EU regulation, aiming to change the way in which personal data is collected, processed and stored. Currently, there are many inconsistencies in data security across Europe, and this law is designed to improve data sharing between member states. The idea behind the new legislation is to usher in a new era of accountability – helping businesses to understand the risks of data and how to uphold privacy values.

What do you mean by ‘personal data’?

Personal data is defined as any piece of information that relates to, or can be traced back to, an identifiable person. As well as the obvious details, such as name and address, it also includes other information, like a reference number, the user’s IP address, sales records and even the content of emails.

Do the regulations apply to my business?

The new regulations apply to b2b organisations, particularly if you handle personal data, and you are either a controller or processor of that data. The ‘data controller’ is the organisation (or person) that determines what happens to the data. The ‘data processor’ is the organisation (or person) that handles the data.

How will Brexit affect the new regulations?

Brexit is a controversial point; many think that as the UK is leaving the EU, the new regulations won’t matter. While negotiations are still unclear, the UK government has confirmed that data protection is still a priority, and that they have already drafted revised legislation that mirrors the GDPR. This means that the UK will have to comply with GDPR for almost a year before Brexit, and a similar plan is in place for afterwards.

What do I need to do before May 2018?

Check that your customers have positively opted-in to receive information from your company. Conducting a full audit is the best way to do this. It may be a time-consuming process, but it’s important to keep your personal data as up-to-date as possible. Some people will inevitably opt-out, but at least you will only be communicating with those who have shown interest.

What happens if I don’t comply?

The sanctions that can be imposed on your company are one of the biggest changes to data protection law. Currently, the Data Protection Act of 1998 states that the maximum fine for not complying with GDPR is £500,000. Under the new regulations, maximum fines of €20 million or 4% of gross global turnover could be implemented. For failing to notify the authorities or individuals of a data breach, the highest fine could be €10 million or 2% of global turnover.

Now is the time to get your plans in place for the new GDPR. For more information on the regulations and how to comply, download our white paper, or follow us on Twitter and LinkedIn to keep up-to-date with our latest insights on the topic.