GDPR looms for hundreds of thousands of unprepared UK businesses
With only 100 days to go before the implementation of GDPR, Safety in Numbers takes a look at what it means for businesses and consumers…
Last week the Department for Digital, Culture, Media and Sport released the findings of a survey that revealed nearly two fifths (38%) of the UK’s businesses are aware of the upcoming implementation of the new General Data Protection Regulation (GDPR).
While awareness of GDPR rises when looking at the overall size of the organisation – growing from just 31% of microbusinesses to 49% among small business, 66% among medium businesses and 80% among large organisations – this still suggests that nearly 430,000 businesses across the UK are running out of time to ensure that they are fully GDPR compliant by 25th May.
As the other 62% of UK businesses are aware, GDPR is a replacement for the Data Protection Act which, at 20 years old, was in need of an overhaul. While many of the core concepts and principles are the same as the DPA, GDPR’s main upgrade is that it is designed to strengthen and unify existing data protection laws in light of the meteoric rise of the internet over the past two decades, with the main focus on minimising:
- the amount of data collected
- the length of time non-essential data is stored
- unauthorised access to data
- safety breaches to existing databases
With penalties laid out to be “effective, proportionate and dissuasive, companies in contravention of the new laws could be fined up to €20 million or 4% of their global turnover. So while this level of punishment would only be handed down in the most extreme of circumstances, it is nonetheless something that is being taken very seriously by the EU, and consequently something UK businesses should be treating with the same level of importance.
At the heart of the new regulation is the consumer’s right to take control of where their private, personal and identifiable data is held and, crucially, by whom. This means that any organisation that is processing EU citizens’ data must prepare to set out how they store, manage and process this information. Irrespective of Brexit, the UK government has promised it will implement the regulation in full, and is in the process of doing so with a new Data Protection Bill going through Parliament.
The first thing that consumers are likely to notice is a rise in the number of websites asking to confirm that they, as the customer, want to give permission for the company to remain in touch so as to give information updates, details about new products and marketing offers. It’s at this point the consumer has the right to give permission or maintain the right to stay anonymous.
Consumers will also start to see a difference in the way that organisations communicate with them about how their data is used. This will mainly affect the length of consent statements and privacy policies. Whilst marketing consent, for example, may not need to be explicit, it does need to be unambiguous. This means that consumers cannot be forced to give consent for further use of data when signing up to a service if they do not want to.
One of the more obvious changes brought about by GDPR will be the requirement of organisations to communicate in clear and plain language, so gone will be the days of technical jargon confusing customers as to what exactly they are signing up for. This should not only help create greater transparency but also foster a healthier relationship for the customer with the business, so it should be a win-win situation once in place.
Other benefits for consumers include the ability to make exercising the right to object to direct marketing and profiling easier and also a decline in the number of nuisance calls and texts thanks largely due to the aforementioned penalties for data abuse by rogue operators.
In some ways, the arrival of the GDPR will only underline the fact that consumers are in charge when it comes to their personal information. Many organisations have already seen the benefits of adopting transparent privacy notices and offering their customers control over their data.
Now, with the regulation less than four months away, it is up to the consumer to take advantage of the opportunities available to them. They have the chance to not only access, erase and rectify their data but to also pursue a better, more transparent relationship with organisations such as banks, retailers, insurers and energy suppliers.
At Citigate Dewe Rogerson we’ve been working closely with our parent company, Huntsworth, as well as our clients to ensure that all data we handle is fully GDPR-compliant in advance of the launch of the new regulation.
Chris is Head of Research at Citigate Dewe Rogerson and is fully GDPR-compliant.