GDPR is a buzzword that was hard to avoid in 2018. Barely a day went by without mention of the EU’s new data protection laws – be it in brand email communications, public social media posts or press reports. There’s no arguing that the information was not readily available in the lead up to the new regulations coming into effect in May 2018.
While everyone is affected by GDPR in some way, it’s that much more critical for businesses – especially those who handle customer data on a regular basis – to understand it in its entirety. But the question is, do they?
New research by small business insurer, Hiscox, found that GDPR is still a mystery to some SMEs. In fact, their survey data suggests that over half of SME owners are less aware of what GDPR is now than they were when it first came into effect. This is concerning considering the potential consequences of a breach.
For businesses who may still be in the dark when it comes to knowing what’s required of them, here are the ‘must-knows’ to stay on the right side of GDPR (and yes, there’s more to it than cookie consent).
Why is GDPR important for consumers?
GDPR can feel like a lot of work from a business’s perspective, especially in cases where it has required new processes to be implemented in order to comply. Even business owners are customers though – albeit to other businesses – and will benefit from their own data being protected, so it makes sense to treat others’ data with the same level of care.
The purpose of GDPR is to offer consumers peace of mind that their personal data is secure and that adequate security measures are in place to keep it safe. Businesses must also offer transparency about data use and security. For example, if the business suffers a data breach, they must inform their customers within 72 hours of the incident. Businesses must also promise that data collected will only be used for the purpose it was provided for in the first place. For example, if a customer were to provide their information during the process of making a purchase, their information would not then automatically be added to a mailing list without their express consent.
Furthermore, the regulations give consumers more control over their data, including the right to request that the information a company has stored on them is ‘forgotten’ or ‘returned’ in a portable format that can easily be passed on.
What GDPR means for small businesses
GDPR is not only a digital matter. Any business that handles consumer data – online or offline – must be aware of their responsibilities under the new regulations.
Companies with more than 250 employees will need to appoint a dedicated Data Protection Officer (DPO) whose role is to ensure the business is compliant with GDPR.
In line with this, businesses must be able to prove that they have the appropriate systems and measures in place to keep information as safe as possible. This can include safeguarding CRM, HR and marketing systems.
It may seem as though GDPR is purely beneficial to the customer, however, there are advantages for companies too. With GDPR compliance comes increased trust from customers and improved reputation – two things that are essential for business success.
Examples where GDPR can impact day-to-day business
GDPR is relevant to businesses of all sizes and industries, from global retailers to small marketing firms. This said, the regulation does distinguish between big companies and small ones when it comes to compliance and penalties.
The eCommerce industry is one that has been significantly impacted by GDPR, mostly due to the volume of customer data handled every day. Consent is the most important thing to consider – pre-ticked boxes that sign people up to mailing lists is sneaky. Instead, it’s essential to ask for customers to opt in – instead of out. The same goes for only collecting information that will be used and is necessary. For example, if a phone number isn’t going to be used, there isn’t any reason to ask for it.
Similarly, businesses that function in areas such as recruitment, sales or marketing have to be careful about how they use information when finding new business or candidates. For example, without providing consent, a candidate can’t be put forward for a role or recorded in a database for future use.
Cold sales emailing without permission is also problematic. When reaching out to a new contact, it must be sent to an individual personally and not from an automated system on mass. If a phone number is available, it is best to use this as the first point of contact.
Failure to comply with GDPR
Regulators have been reasonably lenient about businesses breaching GDPR to date, however, 2019 is likely to mark the end of this settling in period. This year, we may see more action being taken against those who fail to comply.
Penalties are administered according to a two-tiered structure based on the severity of the breach. More serious breaches fall under the higher tier, with fines up to €20 million (£17.6 million), or 4% of global annual turnover – whichever is higher. These fines will be reserved for serious cases of data infringement and failure to implement procedures that could have prevented the incident from occurring. The lower tier carries a maximum fine of €10 million (£8.8 million), or 2% of annual turnover. These apply to the misuse of data on a more minor scale, such as failure to report a data breach or not administering the correct data protection protocols.
All fines are issued on a case-by-case basis and it’s unlikely that the maximum amount will be requested for the vast majority. The extent of the fine will be assessed based on severity and the action(s) taken to recover from the breach.
The high-profile data breaches
Since GDPR came into force in May 2018, only a handful of companies have been sanctioned under the new regulation.
The first to receive formal notice from the UK’s data protection watchdog was Canadian analytics firm, AggregateIQ, which worked on the Vote Leave campaign ahead of the EU referendum. The small data company was enlisted to target online ads at voters during public polls and was accused of processing people’s data ‘for purposes which they would not have expected’. The business was served notice to perform an audit within 30 days or face the maximum GDPR fine and was also ordered to cease processing the data of UK and EU citizens during that time.
In September 2018, British Airways announced it had been the victim of a data breach. GDPR stipulates all data breaches must be reported within 72 hours of discovery. Ensuring the company complied with the new regulations, BA announced the data breach one day after it was discovered. Around 380,000 customer booking details were stolen, including customer card details in full.
If it’s decided British Airways failed to properly protect its customers’ personal data, it’s expected the company will be penalised according to GDPR legislation. It could be fined around £500 million, roughly 4% of its global turnover. This figure could be even higher if the airline’s parent company, International Airlines Group, is held accountable. The ICO is still investigating this matter and is yet to confirm how much the fine will be.
Most recently, Google hit the headlines after being issued a landmark £44 million fine by French privacy Watchdog, CNIL. Theoretically, this could have been as high as £350 million if it had been issued with the maximum fine equating to 4% of the company’s global turnover. The tech giant was penalised over a ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’.
This should have cleared up any grey areas in relation to GDPR. It’s important to understand what’s expected of businesses under the new laws. There are benefits to be reaped from complying too – consumers will put more trust in companies that look after their data while businesses will be at a reduced risk of data breaches as efficient systems and processes will be in place. When personal data is used responsibly, businesses can run more smoothly and efficiently – and with greater consumer trust.