Data protection shake-up - is your business protected? - Business Works
BW brief

Data protection shake-up - is your business protected?

by Steve Woolley, Head of External Affairs, CIM It is critical that companies know the facts, seek advice and act early to prepare for the new General Data Protection Regulation (GDPR), says Steve Woolley, Head of External Affairs for CIM (the Chartered Institute of Marketing).

Marketers are increasingly relying on data to do their day jobs. The insight it provides allows for better targeting and more strategic planning and personalised experiences for consumers. Yet, the way businesses use data is facing a seismic shake-up as we see the introduction of the new GDPR.

These rules, if broken intentionally or not, could see businesses fined up to 4% of its global turnover, or €20 million (whichever is greater). These penalties clearly demonstrate that understanding and implementing the relevant data process changes needed to meet the new criteria should be a priority for businesses across the UK.

The regulation is not due to come into force until 2018, but, in our opinion, preparation needs to begin now. Depending on the size of a business and how you use data, the changes you will need to make in order to meet compliance standards will require careful planning, potentially some allocated budget and certainly more staff education.

The reforms will replace the outdated Data Protection Act 1998, which was drawn up in 1995 before the growth of the Internet, smart phones, social media and Internet banking. Businesses rely on the clever use of data to serve their customers and grow their services. Therefore, compliance with these new rules will play a vital role in maintaining customer trust. The marketing landscape has changed massively and as marketers we needed the rules to keep up.

So, what exactly will the new regulations mean for the running of a business day-to-day? Well, it is changing the way businesses collect, store and use personal data. At each point in this process, and across potentially many different business functions, the rules need to be understood and complied with. Businesses really need to act now to avoid tripping up to the tune of thousands of pounds down the line.

The GDPR shouldn't be seen as a formality to set aside for later, nor should it be just a tick box exercise. Business leaders should be acting early to understand how the changes will affect them and consider their next steps. The GDPR is looking to positively impact the use of data in the following ways:

  • Higher levels of responsibility around the provision of information and transparency concerning consent

  • Increased rights for individuals to access their data or control how it is moved from one organisation to another

  • Requirement for companies to demonstrate that privacy has been built in to their data handling processes through updated technical and organisational measures

  • Obligation for data breaches to be reported to regulatory authorities within 72 hours, and 'without undue delay' to the individuals (customers) whose data has been mishandled.

The GDPR shouldn't be a huge surprise to businesses. After years in the planning, it has been developed to bring much-needed definition, clarity and accountability to data practice. The new rules reflect a move towards more responsible, transparent and customer-centric marketing, which is something CIM has always championed across the profession. A penalty fine is one thing, but failing to comply brings, in our opinion, the greater risk of losing customer trust, which can be even more damaging for a business in the long-term.

Here are a few pointers your business should consider, sooner rather than later, when getting up to speed with the guidance:

  • Raise awareness of the changes with key individuals across your organisations, the importance of compliance, and the potential penalties if the business fails to do so

  • Audit the information and personal data you hold as a business - where does it come from and where does it go?

  • Be open and transparent about how data is used across the business and the privacy policies you have in place

  • Keep consent front of mind - make sure across all channels that you get it, record it and store it safely and responsibly

  • Be prepared for breaches - do you have procedures and plans in place to manage and communicate to the individuals impacted?

Getting to grips with all the guidance is the first step and seeking advice from the Information Commissioner's Office can be really helpful with this. Businesses will then need to decide who will be responsible for driving forward the changes. One of the most striking outcomes of the GDPR is the forecasted increase in demand for new data protection officers. Organisations which monitor a lot of data will require a designated data protection officer and others will need someone to take charge of compliance, which will mean more of the workforce will need to be trained up with this knowledge and these skills in the next two years. Data protection recruitment agency GO DPO EU has already estimated that 33,000 data protection officers may be required for the financial services sector alone.

On the one hand, this guidance merely outlines what all businesses should already be doing - treating personal data and information in a responsible manner. However, we are calling upon those marketers and businesses falling short of these professional standards to treat the new guidance as an opportunity to do so. Businesses should act now and get their data protection act together.

For more information on GDRP, please visit the: the CIM web site

Tweet article
BW on TwitterBW RSS feed