On Friday May 25th, the UK Data Protection Act, which has regulated the professional use of personal information for two decades, is to be retired. In its place, a new regulation is to be implemented - not just in this country - but across the whole European Union; the General Data Protection Regulation, or GDPR.
Oddly enough, to say the GDPR is a landmark piece of legislation, both in its scale and its powers, it has received little in the way of media attention. Indeed, there are some businesses currently operating who don’t even know what the GDPR is! A scary thought when you consider this is a regulation with the power to impose €20m fines.
The relative lack of media coverage should not, in any way, tempt organisations into thinking the GDPR is to be taken lightly. For the benefit of doubt, allow us to illustrate some of the regulation’s powers…
Meet the ICO
Otherwise known as the Information Commissioner’s Office. They are the UK governmental body charged with regulating GDPR compliance in the UK, and their remit bestows upon them some formidable clout.
For the avoidance of doubt, it is important to remind readers that the ICO are not the ‘enemy’. They’re not out to ensnare businesses like some public-sector version of the Child Catcher. In fact, their website now contains a wealth of information regarding the GDPR with tips and checklists to help those unsure get up to speed. However, they have been given a job to do - and do it they will.
The penalties the ICO have the power to issue as UK regulator of the GDPR vary in severity and depending on the nature of the contravention. For instance, a customer complaint about an unsolicited phone call won’t inspire the scrutiny that a wholesale data breach will.
A knock on the door from the ICO won’t always follow a complaint or data breach either. Certainly, in the immediate aftermath of the GDPR’s implementation, there is expected to be much activity as the ICO look to clamp down on non-compliance. This will likely involve random spot-checks, and in some cases, site visits.
In terms of the penalties themselves, the one that has attracted the most column inches, unsurprisingly, is the biggest one the ICO has the power to impose. That is a €20m fine, or 20% of global turnover – whichever is the largest. Of course, this is a penalty reserved for the biggest corporations, the ones you would hope have been preparing themselves for the GDPR for some time. The ‘smaller’ penalties however, have the potential to be no less devastating to the organisations they hit.
For example, the ICO have the authority to carry out on-site audits where there has been a series of complaints or a reported data breach. These audits can take several weeks and are extremely thorough. During the process, the ICO must be granted access to all areas of the business. If you have an important meeting at 2pm, but an ICO representative wants to discuss something with you at 2pm – the meeting gets cancelled.
If a complaint or breach is deemed serious enough, the ICO also have the power to prevent an organisation handling any personal data for a set period. Imagine not being able to use, or even access your customer information for a week. How damaging would that be? Imagine if it was for a month. Though less headline-grabbing than the €20m fine, it’s a penalty that can quite plausibly finish a business.
Make no mistake, the GDPR is a regulation with teeth.
The intention here isn’t to frighten anyone, simply to make people aware that the GDPR is a regulation not to approach nonchalantly. Achieving compliance is a manageable process, providing you allocate the time, resources, and qualified personnel to the task. Of course, the issue that rears its head, is whether all this can be achieved inhouse.
Attaining full-blown, top-down GDPR compliance is not something we’re going to get into here. It would take way too long, and we wouldn’t be covering anything you can’t already find on the ICO website. What we will cover, as communication and content writing specialists, is what must be done in terms of what information is communicated to your customer-base and your website visitors.
Customer-base – Whether your business operates at a B2C or B2B level, you will need to convey to your clients the impending changes being made in relation to the GDPR, and what their rights are. The best approach is to assume they know nothing about the GDPR.
You will need to alert them to:
Website visitors – The more one looks into the GDPR, the more it becomes apparent how many ‘grey areas’ there are. Over the coming years it is inevitable that complaints and perceived breaches will end up in court, and the GDPR will be shaped further by the subsequent case law. Some areas however, are very clear. When it comes to what information organisation’s must display on their websites, the regulation is explicit.
As a minimum, all websites that can acquire personal information must include:
A contact page disclaimer: Every commercial website has a page, or part of a page that includes a contact form or contact details. For this page to be GDPR-compliant, it must include a visible disclaimer explaining in clear language what a customer’s information will be used for, and their rights to this data once they have submitted it.
As stated earlier, the ICO aren’t looking to catch organisations out. However, they do expect to see that reasonable efforts have been made to achieve compliance. When running a busy organisation, it can be hard to find the time to dedicate to achieving compliance with a new regulation. Harder still, if you’re not sure what you’re doing.
Though a small budget is necessary to bring in compliance experts in readying your organisation for the GDPR, it’s a budget which appears smaller yet when compared to the penalties stored away in the ICO’s inventory.