You may have noticed a lot of emails coming into your inbox lately asking for you to agree to new terms and conditions – what you may not have realised is that it’s all part of a wider policy – direct from the EU. The General Data Protection Regulation (or, GDPR) applies to organisations in the EU’s member-states and is meant to protect the data of consumers and citizens. The theory lies in giving more power to the latter to control what happens with their data.
This isn’t a snap reaction from the EU in the wake of the Cambridge Analytica scandal – or what we’ll call Datagate (or datagata… sorry). It’s been in the pipeline for four-odd years. It has been coming because there’s a definite need to bring legislation up to date for the digital age.
Way back in 2015, Andrus Ansip of the Digital Single Market group put it nicely: “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.”
If you run a business – or have ever dealt with one (which you have) – you’ll probably be aware that data is king. Almost everything that happens, from marketing to purchasing, affects and is affected by, data. In fact, a buzz word for marketing over the past half a decade has been ‘big data’ – because it’s just so critical. And naturally, when something is so important and accessible, it has been abused.
Under the GDPR, businesses have to ensure they’re gathering people’s data legally – so, with that person’s permission – but importantly must also guarantee protection of said data.
So, this has been in the pipeline for years, it got signed off way back in 2016, and as of late last month/early June, all companies have to be compliant or face big penalties.
So, how does GDPR affect your (UK) business?
Most of our clients are based in the UK, so that’s where we’re focussing this article. But you should be aware that – if you’re based outside of the UK – just dealing with consumers/leads in the EU or UK will bring the GDPR legalities to your door.
There are a number of elements contained within this legislation that are critical to understand, and implement corresponding policies. If you own a business and you haven’t already, you may need to chat to a lawyer about this.
However, the key parts are:
According to Article 4, there are 2 types of parties when it comes to data: processors (“person, public authority, agency or other body which processes personal data on behalf of the controller”) and controllers (“person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”). More liability is being placed on these two types of data points.
The burden is on the company to adequately explain what data is being collected, where it is being stored, and how it is being used, when interacting with a consumer or citizen. Not doing so is a breach, and you’ll get shut down.
Fines will be massive. Non-compliance with these new laws could see fines anywhere from 10 million euros through to four per cent of a company’s turnover. We’ll let you work out what that could mean! And don’t think this would just apply to massive infringements – this can be purely for mishandling the storage of data.
What about Brexit? Aren’t we exempt in the UK?
Although we’re getting ready to leave the EU as a member-state, those of us in the UK are still bound by – and will remain bound by – these new rules. The UK Government has announced that Brexit won’t impact their stance on this, because it’s for the benefit of everyone.
So all of you in the UK – stick to your guns on this. There’s no way around it.
This article is not intended as legal advice. The views expressed herein are not necessarily those of Wolf. Please seek objective legal advice if you have any queries surrounding GDPR legislation.