"There's a lot in the GDPR you'll recognise, but make no mistake, this ones' a game changer for everybody"
Elizabeth Denham ICO Information Commissioner
What IS GDPR
The General Data Protection Regulation (GDPR) is a European ruling, which governs the data protection rights for all individuals within the European Union. It serves to strengthen and unify all data protection rules and practices across the EU. In short, it gives greater power to the individual with regards to how and who can use their personal data and gives the rights to access, amend, and restrict the personal data organisations hold about them.
Does GDPR affect you / your business?
The short answer is yes. GDPR affects anyone holding data on EU citizens, including those companies not in Europe. The ICO have confirmed that GDPR will still be a part of UK law post Brexit – this was also a point raised in the Queen’s speech. If your business offers goods and/ or services to citizens in the EU and you have captured their data (name, number, email, IP details), then you are subject to GDPR regulation.
Are your marketing activities and processes GDPR compliant?
It is key to ensure your processes cover all the rights the individuals have, including how you delete personal data, transport data and provide data electronically (e.g. in a commonly used format). Be aware that you have to be able to demonstrate how you accommodate the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subjected to automated decision-making including profiling
What happens if my business is not GDPR compliant?
You had until the 25th May 2018 to be fully compliant with GDPR. Failure to comply Once GDPR came into force could result in a two-tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2% of an organisation’s global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4% of turnover (whichever is greater) from the Regulation and ICO (Information Commissioner Officer) office. We work with our clients to ensure that every campaign from start to finish is fully GDPR compliant.
What is the difference between a data controller and a data processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. For example, Novus Business Connections are processors as we are instructed by our clients (the ‘controller’) to process (call) their dataset. GDPR brings in greater responsibility for both parties to ensure stronger accountability than before. With good, transparent communication between controller and processor alongside robust processes, understandings and agreements, GDPR will further strengthen the relationships of these entities.