After endless discussions and debates, the EU’s forthcoming data privacy legislation – the General Data Protection Regulation (GDPR) – will finally be implemented on 25th May this year.
With stricter rules and heavy financial penalties for non-compliance, the GDPR is a significant step forward for data privacy and consumers’ rights. While this change has been greeted with positivity by regulators and consumer rights advocates, its looming enforcement is a source of concern for many marketers.
Indeed, many SMEs are mired in fear, uncertainty and doubt. There is much confusion over the new rules; the number of businesses that felt they were on track ahead of the change dropped from 68% to 55% once they realised the full scope of the changes following recent guidance provided by the Information Commissioner’s Office (ICO).
It is easy to think of the GDPR as punitive, draconian measures or at the very least anti-business –
Of course, in order to take hold of this opportunity, SMEs must get to grips with the legislation, understanding what is being asked, and most importantly, why. Here are five considerations of which all SMEs should be mindful:
Even for lawyers, legal regulations can be difficult to decipher – and interpreting the specifics of the GDPR is no different. A complex and multi-faceted regulation, understanding its intricacies is particularly vital and SMEs will need to ensure the right documentation and processes are in place to help demonstrate compliance. Importantly, the ICO and the DMA are available to answer questions, so do use them as a resource.
2. Data Audit
While SMEs will not have anywhere near as much data as other, larger organisations, they will still be accountable for whatever they store – no matter how little. If the ICO does visit, it should be ensured beforehand that all data is ferreted out and clearly documented with when, how, and why it was obtained; what you are going to do with it and how long you are going to keep it.
3. Individuals’ Rights
The GDPR is a big win for citizens' rights, with more comprehensive outlines dictated on how their data should be handled.
One of the key changes is found in the ‘right of access’, which has expanded considerably and is now required to be free of charge. There are new rights as well, such as the ‘right to be forgotten’, where the data subject will be able to have all of their personal data deleted (i.e. ‘forgotten’) when they no longer want to have a relationship with a brand. With all of the individual rights enshrined in the GDP, you should think about what processes you will need to accomplish this.
4. Privacy Notices
Transparency is paramount: being open and honest with the people who give you their data about what you are collecting, why you want it, how you will be using it and how you will take care of it is a core principle of GDPR.
5. Legal Basis
GDPR defines six different legal bases for processing data. The two that most marketers will rely on are legitimate interest and consent. A lot has been written about marketers relying on consent, but SMEs should not overlook legitimate interest. First, the regulations make clear that all the legal bases are equal and that none outweighs the other.
Secondly, consent is an objective legal ground; in other words, black and white – either you have it or you don’t. Legitimate interest, on the other hand, is a subjective legal standard, totally dependent on the situation. SMEs would take a risk-based approach to determine if their legitimate interest to market to an individual does not infringe on that individual’s rights under the regulations. SMEs should not think that this is by any means an easier standard to achieve, but rather it allows them to take all business factors into consideration.
These are of course just a few points that should be considered – for a more comprehensive outline of the law please do visit the ICO or the DMA, both great resource for further information on how to get ready.
Happily, many SMEs may find they are already working in compliance with the regulations, and many more will find that only small tweaks are required to ensure they are in line with new requirements. After all, there is very little in the GDPR which has not been talked about as best practice for years. As with any opportunity, grasping it can be a challenge, but for SMEs, the two golden rules of the GDPR should serve them well in their wider approach: keep the customer’s rights at the heart of operations, and document everything.