With the EU’s sweeping general data protection regulation (GDPR) coming into force on 25 May this year, Welsh businesses need to be prepared for its impacts.
A new standard for data protection
The GDPR is geared to bring data protection standards kicking and screaming into the 21st Century.
It gets rid of the tick-box mentality that has dominated data collection and storage in recent years. Any “data controller” or “data processor” (that’s anyone who collects or uses personal data in any way) is responsible for gaining informed consent from “data subjects” (anyone who gives an organisation their data).
Businesses and organisations must also ensure that data is stored properly, that any third parties privy to it are clearly identified, and that data is stored “no longer than necessary”.
The key planks of the GDPR are:
Consent: this must be done via positive opt-in only, and is predicated on data subjects understanding what will be done with their data.
Right to erasure: individuals can remove their consent at any time and have that data deleted.
Data portability: companies must be able to supply individuals with all their stored personal data in a safe and transferable format.
Privacy by design: all personal data collection and storage systems must have privacy and security built in from the ground up, not just added as an afterthought.
How will the GDPR affect Welsh businesses?
It’s rare these days for a company not to use lead or customer data in some way, especially given how many companies employ content marketing strategies, even if they’re not part of the digital economy.
If you think the GDPR doesn’t apply to your situation, well it most likely does.
One area in particular that will be affected is small and medium sized businesses (SMB) and sole traders. Without the personnel and resources of larger companies, many SMB’s will need to outsource their data protection, which brings with it its own challenges. At a very basic level, someone will need to be put in charge of overseeing compliance.
The GDPR will be in force whilst Britain is still in the EU, and furthermore it has been incorporated into the UK’s Data Protection Bill, so it’s here to stay.
The GDPR is designed to protect the data rights of all EU citizens and has a global impact on all companies who operate in the region. And with fines of up to 4% of GDP for breaches of the GDPR, compliance is the name of the game.
Only 39% of UK companies are aware of their responsibilities under the GDPR. It’s important to get clued up because we are witnessing a sea change in how data protection is handled.
Putting people in control of their data
The fundamental philosophy behind the GDPR is to put individual citizens in control of their personal data. Companies and organisations need to carry out data audits to get ready for the 25 May deadline. AppInstitute have put together a guide to the essential steps you need to take to get ready for the GDPR.
GDPR, the digital economy and beyond
Wales has a booming digital economy so new and expanding businesses will need to make sure they have their data protection protocols up to scratch.
CEO’s and board members will need to make sure implementing the GDPR is a priority through all areas of their operations; from data collection, to storage even data transfers in and out of the EU/UK.
The GDPR will no doubt rise up an army of data protection consultants and advisors ready to lend a hand to businesses who already have enough on their plates.
Welsh businesses will need to change the way they interact with people when it comes to handling their personal data. It’s worth thinking about some of the main impacts the GDPR will have on the sector:
- Awareness of GDPR stipulations will become an essential part of daily life for Welsh businesses, from the board room on down.
- Building informed, trusting relationships between companies and individuals will take on a new relevance
- Companies and organisations will routinely appoint data protection officers to ensure compliance with GDPR rules
- Marketing and sales processes will go thorough auditing and redesign
- IT and legal teams will have to keep a strict eye on maintaining GDPR principles
By thinking more deeply about the information we communicate to customers, and how we handle their data, we will have to be more open to putting people first in our business practices. Since we have to make theses changes to avoid serious financial penalties, we may as well look at the positive ways this might impact Welsh businesses.