What is the General Data Protection Regulation (GDPR)?
GDPR is a new regulation which will be enforced on 25th May 2018 on all of the European Union. It is intended to protect the rights and privacy of EU citizens. The regulation will still apply to the United Kingdom after Brexit in the form of the Data Protection Bill (passed in August 2017) which has similar consequences.
GDPR will impact all business on some level depending on what data you hold but if you have a marketing mailing list, customer databases, shared drives (e.g. Google Documents) or employee records you will need to take action as it's your responsibility to ensure you legally comply with how you collect, store and process personal information.
You must be able to demonstrate the following:
- You can prove you have the consent to use a person's data (e.g. they have opted in to a mailing list themselves. Someone verbally agreeing cannot be proven).
- You have a data audit in place - how you will use it, why, how it will be stored?
- You have a plan in place if there is a data breach (e.g. your customer relationship management system is hacked and customer details are leaked - how would you deal with this?).
How GDPR will affect your business will be unique to you therefore you will need to spend some time researching exactly what actions you need to take. You may find that you're already half way there without knowing it but there will still be a few steps which will need to be implemented.
The following resources will be able to help you on your way:
- Information Commisioner's Office - Guide to the General Data Protection Regulation
- Direct Marketing Association - Guide to the General Data Protection Regulation
- An excellent example of a Privacy Impact Assessment
The Consequences of Failing to Comply with GDPR
If GDPR is not complied with the following actions could be taken should there be a data breach:
- Reprimanded – a letter would be sent by the ICO expressing their disappointment and concern. The company would have to make a response to this.
- Rectification or deletion of data – The company can be ordered to ‘clean-up’ it’s data, add in another layer of security or delete some of the data which it holds.
- Ban on data processing – The company would not be allowed to collate any further information.
- Fine – up to €20 million or 4% of global annual turnover, whichever is greater.
What is Composites UK doing to comply with GDPR?
Composites UK has always demonstrated best practice with regards to the data it holds - never sharing contact details without prior consent or buying contact databases. With that said the Association will be:
- Asking those who have been on our mailing lists for a number of years (2014 or earlier) to re-subscribe to continue to receive our e-newsletter/event notifications. This is so that we can prove your consent to receive our information.
- Ensuring our data policies surrounding The Hub and website are updated where needed following a full data audit (the audit has been completed).
- Ensuring the third party companies we use to store data have a data breach policy in place.