GDPR – What is it, and how much should we all care about it

As the EU’s General Data Protection Regulation (GDPR) is looming ever closer, I’ve been wondering exactly what it is, and how much I should really care about it.

The culmination of four years’ efforts to try and update our data laws and protection to match the very data-centric age is coming to a head on the 25th May 2018. This new regulation will replace the 1998 Data Protection Act (http://ow.ly/PoxA30jFofi), which itself was brought in to implement the 1995 EU Data Protection Directive (http://ow.ly/kQDU30jFofY).

In a nutshell, the aim of GDPR is to help give people more control over their own data, and how organisations and businesses use such data. We’re all guilty of ticking that little ‘terms and conditions’ box to say we’ve thoroughly read them and know exactly what will happen with our data, but 9 times out of 10 we’ve not even skim read the lengthy, oft 20+ page document - GDPR is supposedly going to help fix that by removing legal jargon and making T&C's easier to understand. Another problem is social media, as companies such as Facebook, Twitter, Google and more require our data in order for us to use the free services (and we basically cannot refuse anything given to us for free… no matter the cost it seems).

Why should we care about GDPR? It applies to any and all businesses that have data – these businesses are placed in two classes, ‘controllers’ and ‘processors’. As stated by ITPro (http://ow.ly/24uc30jFoIx), “A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data.”

Once the regulation has passed, all data must be processed lawfully. If you’ve been getting emails that are asking you to confirm you are happy to continue receiving information from the company, that’s the business themselves confirming that you consent to them lawfully keeping your data on file in the future. It must also be included in T&C's exactly what data is being collected, why, how it is, along with a lot more information on it.

“The conditions for consent have been strengthened, and companies will no longer be able to use illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it” (http://ow.ly/KWm330jFpOz).

If you do not get this consent, you can be fined up to £20 million, or 4% of your annual turnover – whichever is the greater sum of money.

So, how can you get the legality you need to be in compliance with the regulation? Get proof people are fine with you keeping their data. The best way to do this is to send out a ‘GDPR opt-in’ email to everyone in your database, that way you have the proof should you ever need it. You may also want to contact your email marketing providers, or any sites you use that contain data, just to make sure they are also compliant with GDPR. Also, if you have any bought in lists on your database, delete them now.

MailChimp is a good site to use in order to gain consent, as they already have a page set up on the website stating what it is doing to become compliant, and what you can do to prepare (http://ow.ly/q4xB30jFq7J).

Overall, becoming GDPR compliant isn’t really that difficult, but it is incredibly important. Make things nice and simple for anyone you need to gain consent from. Send out a simple ‘opt in’ or ‘opt out’ email, and make sure you have a ‘Subscribe to our newsletter’ button on your website.

In a nutshell, don’t send things to people unless they’re okay with it. It’s much better to have a smaller list of people you know are interested in what you send out, rather than a very longlist of people who are gradually getting more annoyed with your emails!

Written by Kennady Smith, 27/04/2018