Prior to the Covid-19 pandemic, the majority of UK companies employed an on-site workforce to conduct the day-to-day running of their business, with only 27% of employees having worked from home at some point in 2019, on average.
The regulations significantly clampdown on the ways in which you can collect data, and what you can use it for.
What’s more, the punishments for breaching data regulations or misusing customer data can be a fine of up to 4% of global annual turnover.
It’s therefore no exaggeration to say that you can’t afford to get on the wrong side of GDPR. Here’s what you need to be thinking about.
What does GDPR change?
The new legislation is attempting to ensure that businesses only collect personal data when absolutely required and with explicit consent.
- A more comprehensive definition of ‘personal data’, which is likely to see previously exempt businesses now under the jurisdiction of the legislation
- Requiring businesses to record proof of consent when a subject agrees to have their data collected
- Statutory obligations for data processors as well as data controllers
Easy ways to get caught out by GDPR
Given how strict the rules are, and how extensive the punishments can be, you want to make sure that your business is on the right side of GDPR.
That could be easier said than done, however, as there are numerous practices used today that you might not even be aware would breach the legislation.
An obvious example is the way in which consent is collected and the data then used. Under GDPR, data can only be used for the purpose for which it was consented; a rule that is likely to wreak havoc with many company’s email marketing strategies for starters.
Unfortunately, one of the pitfalls of preparing for GDPR could be…preparing for GDPR.
Earlier this year Flybe was fined £70,000 for breaking existing data protection rules in an attempt to ensure everyone on its mailing list still wanted to be there.
Obtaining this retrospective consent is important, as you need to be able to prove a data subject agreed to your marketing, but unfortunately for Flybe they also sent millions of emails checking for consent to people who had previously unsubscribed from their marketing.
Considering many people copy one off another website and change some of the wording, or use a template, the chances are you may need a rewrite.
How to prepare for GDPR
There are lots of things to check, if not change, regarding your business practices before GDPR comes into force in around two months’ time.
You need to get started straight away if you want to ensure your business is fully-compliant and that potentially expensive breaches are avoided.
Here’s a quick overview of everything you need to consider.
- Audit your data – know what data you hold, how it was collected, and why
- Review consent – if you can’t prove your subject consented, obtain it again
- Update your systems – ensure that data protection is a core focus of all your documentation and system design
- Ensure easy access for data subjects – make sure you have a system in place to follow when a subject asks to see the data you hold on them
- Know how to spot a data breach – train yourself and your staff to avoid misuses of data and to spot breaches when they happen
- Review your privacy notices – are they clear and concise?
- Know when to do a risk assessment – are you processing high-risk data?
- Understand whether your business needs a data protection officer (DPO)
Time is running out to prepare for GDPR
The worst-case scenario is that you need to make significant changes to your business practices, data collection and marketing to avoid falling foul of the latest regulations.
For that reason it’s crucial to make sure your business is GDPR compliant as soon as possible.
The effort involved in doing so will be far less inconvenient than the fines that can be levied for breaching the new regulations.