On 19th October we held our latest Digital Transformation event in Knightsbridge. Bringing together a number of Top UK retailers to discuss new data protection legislation. The introduction of GDPR (General Data Protection Regulation) due to take force in May 2018 aims to hand power back to consumers over their own data; attempting to encourage an active communication between consumers and retailers. Research undertaken by the Institute of Directors (IoD) earlier this year estimates that nearly a third of UK business leaders are unclear or unaware of the new regulation that could have wide-reaching consequences over the data you collect, how you use it and who you share it with.
The event headlined with a presentation from Sophie Spread of SAS Law. She discussed how individuals will consent to the access of their data, the right to be ‘forgotten’ and the impact on data governance. Sophie also provided delegates with a handy compliance checklist that will assist in overcoming some of the complexities around GDRP. Enforcement starts on 25th May 2018 and has jurisdiction over all EU subjects. No matter where in the world your business operates (including Britain outside of the EU) it’s likely that you’ll need to adhere to the new standards.
Does this spell the end of cold calling?
The truth is we’ll have to wait and see to answer that one. However, what is for certain is the potential consequences of non-compliance are huge. Fines of up to €10m or 2% of total worldwide turnover (whichever is higher) with extreme breaches hitting potential fines of €20m or 4%. That’s a lot of money that you’d rather be spending on the necessary infrastructure required to gain a competitive advantage and maximise returns.
The 7 Step Action Plan
It’s not something to worry about, but to be aware of. Here’s what you need to do before May:
- You’ll need to get management buy-in. This is going to be pose a significant regulatory, legal, operational and reputational risk so the board will need to be informed and a budget obtained.
- Make sure you know where your data is. Get a Data mapping / Audit so that you know not just how it’s stored and if it’s secure but what third parties have access to it. The regulation explicitly outlines a ‘privacy by design’ objective. You’ll need to be working closely with third-parties to ensure data you provide them is reviewed and updated in time.
- Get confirmation that you’re allowed to use your customer’s data. For this you may need to review policies and procedures. To make sure your dataset is safe and that you’ll need to contact your customers before GDPR has been introduced.
- Design process flows to make sure you’re ready for the change. Develop a strategy to manage customers’ “rights” over their data. What if a customer decides to exercise their right to be forgotten? You’ll need to make sure and be able to prove that you deleted that data from wherever possible.
- Organise the GDPR team – who will need to be involved in getting ready for GDPR?
- Cleanse (and repeat regularly) – it’s not about collecting data for the sake of it. GDPR is clearer than it’s predecessor (Data Protection Act 1998) on collecting only the data you need.
- Education and training – GDPR is widely seen as being the ‘gold standard’ for data protection. If you comply with GDPR, you comply with almost all other data protection rules worldwide.
If you would like to find out more about how eComp can help your business prepare for GDPR please get in touch.