The legislation surrounding how businesses must collect, store and process client data is changing.
From the 25th May 2018, the EU’s General Data Protection Regulation (GDPR) will come into effect, bringing European legislation into line with stricter laws elsewhere in the world and imposing heavy fines on all those who transgress. Therefore, it’s imperative that your company complies by handling its client data correctly.
What Is GDPR?
Although the UK’s imminent departure from the EU may have significant effects on business both domestic and international, British companies must still comply with GDPR by May 25th as the country will still be part of the bloc at that time.
Fundamentally, this involves updating and tightening up how client data (such as names, telephone numbers, email addresses and more sensitive information, like bank details, tax records and the suchlike) are collected, stored and used.
Failure to do so could result in fines of up to €20 million (£17.7 million) or 4% of annual turnover (whichever is higher). Clearly, it’s important that you reassess your approach to client data handling to avoid such heavy penalties. Here are some of the broadstrokes on what must be done in order to comply with the new legislation:
- Obtaining consent. Obtaining client consent to collect, store and process their data has been a common legislative requirement for many years, but GDPR will now require that the wording surrounding such consent forms be “specific, informed and unambiguous”. This may mean you need to revise existing contracts and consent forms.
- Withdrawing consent. As well as explicitly giving their consent, clients must alsobe free to withdraw that consent at any time. One such example is promotional material; even if a client has signed up to a newsletter or mailing list, they must be able to unsubscribe at any time.
- Clarifying purpose.When obtaining consent, you must now make it explicitly clear which purpose that data is being stored for – and you will be prohibited for using it for any other purpose than the one specified.
- Secure storage. It is your responsibility to ensure that appropriate security measures are in place to safeguard all client data stored by your company. In practical terms, this means using encryption technology where possible and only sharing with those necessary.
- Data location.Although GDPR does not specify that the data must be stored within the EU, it does specify that you will be held responsible for the security of any third-party firms used to store data, regardless of location. Should a breach occur and a complaint arise, you may be asked provide evidence of a “suitable risk assessment” on the third-party company.
- Reporting breaches. Should the sensitive data of any client become compromised, it is your duty to report the breach within 72 hours of its occurrence.
For companies with more than 250 employees, it will be necessary to appoint a Data Protection Officer (DPO) to oversee all of the above facets of GDPR compliance and data handling. However, the new rules will affect companies of any size, so it’s ensure that you comply before it comes into effect.