You will have heard about GDPR which is the new legislation coming into force from 25th May 2018. Designed to give individuals greater control over the personal data companies hold on them and what they do with it. Understanding the legislation and what is required of you and your business is important, as fines for non-compliance are severe. The information included below is intended as a quick guide to help you get your head around it. The legislation is exhaustive and there is a lot to cover, so we would recommend seeking legal advice if there are any areas you are unsure of.
Why the need for this change?
The last major overhaul of data regulations was 20 years ago, before Google, Facebook, Apple and other technology companies collected and processed personal data from millions of people.
In the UK we relied on the Data Protection Act 1998. However, with inconsistencies on Data Protection across member states of the EU, leaders from the European Parliment, Council and Union have come together and developed a new standard for the collection, storage and processing of personal data.
Does GDPR just relate to Marketing?
No GDPR does not just specifically relate to marketing. It is about the lawful and fair processing of personal data with emphasis on the 'fundamental rights and freedoms' of individuals known as 'data subjects'. This includes how organisations collect, store, transfer or use personal data and includes, for example, employee records, supplier and customer information or prospects/sales leads.
Although GDPR relates to personal data and not businesses, any data that can identify a 'natural person' will fall under the new regulations. This includes an individual's name or email address.
What is required to comply with GDPR?
You should conduct a DPIA (Data Protection Impact Assessment) or audit and clearly document the personal data you hold across your business, how and when you collected it and how it is used.
Procedures must be in place to regularly update the information to ensure it is accurate and will detect and report any data breach (such as computer hack or data theft by an employee). You will have to ensure these procedures are put into practice.
A clear privacy policy for your business must be available, showing the legal basis for processing the personal data you hold.
Do I need to market the prospects?
This is a cause for confusion with many companies. 'Consent' is one way to comply with the GDPR but there are in fact five other legal grounds for processing personal data, including 'contract' and 'legitimate interest'.
For direct marketing to new customers, particularly business-to-business, legitimate interest will be the legal basis for processing personal data, although organisations will need to demonstrate that they balanced the interests and rights for the individual.
But as explained already, you must make sure the information you hold is up to date!
The secure login area has some further information you may find useful, to help you with some of the documentation required. Otherwise, you may need to seek legal advice to ensure that you comply. Visit www.glazeritewindows.co.uk/login
As the UK's independent authority, the Information Commissioners Office (ICO) is the best source of information on GDPR compliance. www.ico.org.uk