It is very important for businesses and organisations to understand their responsibilities and ensure they have the relevant structures and policies in place to be compliant with the General Data Protection Regulation (GDPR). A simple thing like not having an up-to-date privacy policy on your website may attract an audit from the Data Protection Commission (DPC) which could lead to a fine. 

A recent report published by the DPC highlighted that in the two years since the GDPR came into effect, the DPC has received almost 12,500 breach notifications, of which 93% were found to be in scope of the GDPR.  Many of the breaches that the DPC examined could have been prevented by more rigorous technical and organisational measures within the organisation.

So, what is GDPR and how can it impact your business?

What is the ‘GDPR’?

The General Data Protection Regulation is an EU law that came into effect on 25th May 2018, applying to all EU member states in order to protect and safeguard the privacy rights of individuals.

Why do I have to comply with the GDPR?

Under the GDPR there are heavy fines for non-compliance, resulting in 4% of global turnover or up to €20 million (whichever is the greatest). In addition, individuals may sue an organisation for material or non-material damage if there is breach of the GDPR.

Who does GDPR apply to?

The GDPR applies to large companies, SMEs, not-for-profit organisation, community groups, and individuals.  If you process personal data e.g. if you have a ‘Contact Us’ page or ‘Submit your CV’ form on your website, then you are collecting and processing an individual’s personal data.

How is personal data collected?

There are several ways personal data can be collected by an organisation e.g. emails, banking information, contacts, addresses, social media posts, Customer Relationship Management (CRM) systems, images, or recordings of individuals (e.g. video, CCTV), and even IP address from websites.

How does GDPR affect Customer Engagement?

Ways of working have changed dramatically due to GDPR, especially for sales and marketing teams.  Organisations have had to review business processes, email marketing campaigns, and ways of obtaining consent.  Now, in order to sign up for communication alerts individuals have to fill out a form or tick a box and then confirm it was their action in a further email (double opt-in).  The conditions for obtaining consent are stricter under GDPR.  You have to be able to prove that the individual agreed to a certain action e.g. to receive an ezine. It is not allowed to assume consent has be given or add a disclaimer.  Also, providing an opt-out option is not enough.  Therefore, organisations need to identify new ways of collecting customer information, that are GDPR compliant.

In order to be GDPR compliant there are several steps an organisation needs to take.  Below are some simple tips on how to get started.

1. Identify the source of all the personal data in your organisation and document what you do with the data.
2. Determine what data you need to keep.  Remove any data that you are not using.
3. Put security measures in place within your own organisation and with third parties you use for processing personal data.
4. Review your documentation to ensure they comply with GDPR, especially your privacy policies.
5. Set up procedures for the handling of personal data.  You need to include ‘right to be forgotten’ requests, disclose of information requests, and dealing with breaches (should one happen).
6. Ensure all your personal data collection points have a consent area associated with them.

While GDPR continues to create challenges for organisations, it also creates opportunity. Businesses who show they protect personal data, are transparent with how data is used, and have robust procedures in place will retain more loyal customers.

If you are interested to know more about how GDPR can impact your business, then contact us today.