What do you really need to know about GDPR?
As the introduction of the General Data Protection Regulation (GDPR) approaches, Bethany Whymark speaks to East Anglian experts about the facts – and myths – around the biggest data protection shake-up in two decades.
You've seen the media coverage, sat through seminars, overheard countless discussions and received dozens of polite emails for contact consent.
But despite the information overload, are you ready for GDPR?
The new European General Data Protection Regulation comes into force on Friday, changing the way organisations can collect, process and store personal data. It also gives more rights to individuals to discover what data you hold on them.
With fines of up to 20 million euros or 4% of global turnover, experts have been reiterating the importance of GDPR compliance for months.
David Higgins, co-founder of the Norfolk Cyber Security Cluster, said evidence suggests that only 60% of firms will be compliant by the May 25 deadline.
He advises those still grappling with the task not to panic, and suggests stripping things back to the bone. "Start with the attitude that you don't have permission to do anything with your customers' data, even if they gave you permission to use it in the past, and go from there," he said.
Alex Saunders, a solicitor in Leathes Prior's corporate and commercial team, said assessing what data your business holds and why should be the first action.
"I can never stress this highly enough because you cannot be expected to comply with the GDPR - or even understand it - if you do not know what data you hold," he said.
Darren Chapman, director of Wymondham-based cyber security consultancy Cyberscale, said the GDPR was as much about cultural change towards data handling as it was about policy and procedure.
"One of the things it is trying to instil is having a sense of responsibility about the data you hold on people and how you treat it," he said.
He advises people to look at GDPR in a "positive light", adding: "When you get to marketing, if you end up with a shorter mailing list, the people on it are likely to be more engaged with you."
Katie Harris-Wright, from the employment team at regional law firm Birketts, said employers should be wary of reputational damage as well as the punitive measures imposed by the new law.
She added that, while prevention is the best course of action, a cure is equally important. "Make sure you have the right procedures in place to detect, report and investigate a personal data breach," she said.
Busting the GDPR myths
Information on GDPR has been building for years - along with a fair amount of misinformation.
To help you know what's what, our experts go mythbusting.
I only have to worry about GDPR if my data security is breached
Given how big a topic data protection is in business today, poor practise could cause reputational damage and impact commercial opportunities. Plus, consumers will have new rights over their personal data which they could try to exercise.
It's all about consent
Alex Saunders of Leathes Prior said the idea that consent is needed for every shred of data is false, with two exceptions covering a "huge amount" of day-to-day business activities.
"Most businesses will realise processing a contract requires processing of data.
"Likewise there is a 'legitimate interest' ground [for holding data], which can apply to direct marketing," he said.
While the paramount importance of consent is a headline of the new regulations, it will also change the game for individuals - or "data subjects" - who will be able to get the data an organisation holds on them for free, rather than having to pay as they do under current law.
It is just an IT problem
The word data often signals an IT issue, but GDPR will also require cultural change about how personal data is gathered, processed, stored and used in an organisation.
Darren Chapman of Cyberscale said: "You need someone or a team who is responsible for planning, but it is really about making everyone in the business aware of what their responsibilities are and why. GDPR requires a multidisciplinary approach - it is not just a legal, marketing or IT issue."
As its European legislation, GDPR won't count after Brexit
Wrong - UK businesses will still have to comply by GDPR after the country leaves the EU next March, and it is likely any replacement copied into UK law will have parity with GDPR.
Getting compliant will be expensive
He said: "GDPR is just about 'data security' - keep it safe, and speak to a proper data protection lawyer."
GDPR: The 48-hour hack
There are now just two days remaining to get GDPR compliant.
But don't panic - just follow the steps in this 48-hour hack from the aforementioned experts.
- Find out what data your company holds, from whom - for example customers, employees or suppliers - and how it is stored and managed.
- Look at the reasons the company has for holding and using the data.
- Secure all data and restrict access where necessary.
- Assess what data the company needs consent to hold, and make sure the third parties it shares data with are protecting it properly.
- Identify amendments which need to be made to privacy settings and policy to make them compliant - this could include creating a data privacy statement.
- Make sure all employees who handle data are educated about the impact of GDPR.
- Further steps could include reviewing how customer consent is obtained, and how digital data is protected.
Marketing and GDPR
One of the sectors expected to be hardest hit by the legislation changes is marketing.
While the mailing list is only one tactic in a growing marketing arsenal, firms are likely to feel a pinch as customers opt out and their databases shrink.
Rebecca Lewis Smith, manager director of Fountain Partnership, said a negative effect on "marketing outcomes" - getting fewer leads for the same amount of "conversations" - could push up service prices.
"If you are relying on affiliate marketing or third party brokering you are having to ask for more consent, which is going to mean fewer people will go onto make a purchase and give up their data," she said.
"Paid leads and social media is where you can make up the shortfall, but that market is going to get busier and the cost is going to go up.
"We are looking with clients at their campaign to see where they are getting the best returns and advising them to look past the channels they depend on."
Rebecca Lewis Smith Darren Chapman David Higgins Katie Harris-Wright Bethany Whymark Alex Saunders European Union Norfolk Cyber Security Cluster Birketts United Kingdom Wymondham