Few business owners and senior leaders can be unaware of GDPR: the General Data Protection Regulation. While many people are aware of GDPR, some businesses are still not clear on how it affects them and what they should do. This change in the law is designed to give individuals more control over their personal data – the data companies and organisations process and store – and strengthen data protection policies and processes within the EU.
Key components of GDPR
The ability to give individuals more control over their personal data – this is the data companies and organisations process, store and market to
The strengthening of data protection policies and processes designed to reduce the impact of cyber-attacks and data breaches
Fines are given to companies for non-compliance, but the impact of a data breach is arguably more significant for businesses in terms of reputational damage
GDPR: Does it affect me and what should I do?
The fallout from a data breach
If your business processes sensitive personal data, valuable data, it is at risk of a data breach. GDPR fines are a deterrent to non-compliance but so is brand reputational damage and potential legal action.
Take a look at the fallout from the Equifax data breach in 2017:
- There are now over 240 individual class-action lawsuits against Equifax
- An investigation opened by the Federal Trade Commission
- More than 60 government investigations from U.S. state attorneys general, federal agencies and the British and Canadian government
- A rare 50-state class-action suit has been served on the company
This highlights the costs and critical damage involved in data breaches and is a particular warning to companies that hold large quantities of highly sensitive personal information to ensure they have the most effective cyber security protocols in place, well before an incident occurs.
The Equifax example also provides plenty of reasons to become GDPR compliant. Not to avoid fines in the event of a breach, but to protect personal data so that the impact of any attempted breach is minimised.
Build loyalty with customers and employees whose data your business processes by putting their personal data at the centre of cyber security and data protection policies.
What actions should you take?
In summary, these are the key areas you should take action on:
- Start processing data in a secure way, taking steps to protect data from cyber criminals
- You must report a data breach within 72 hours to the Information Commissioner’s Office (ICO)
The impact of GDPR on marketing
Obtaining permission: A marketing opportunity?
Of course, all businesses want the opportunity to communicate with customers and prospects. GDPR requires that your business obtains consent from individuals and that they understand what their data will be used for.
If they are opting in for marketing communications, this must be clear and separate from any other messaging. It must not be confused with check out processes on e-commerce site, or with sending a proposal or quote for services. Individuals should not be penalised for not opting in – although they may miss out on discounts and offers as a result.
What actions should you take?
You must take steps to gain permission from your database to be able to market to them, in turn, providing them with the option to opt-out. The examples below from Manchester United is both clear and compliant.
‘The law is changing, so everyone must opt-in again to continue to receive emails from [insert company name]. Opt-in or opt-out from receiving our latest offers and news by email. You will always have the option to unsubscribe from any future communications.’
There is a great opportunity with GDPR to get your customers’ data in order and deliver more effective direct marketing campaigns in the future. Customers who opt in knowing what they are signing up for will be much more receptive to your communications. Your business will have a greater ability to target them with messages that result in actions.
GDPR can feel like a burden on small businesses. The focus on GDPR’s hefty fines has distorted many people’s view on this legislation, viewing it as an onerous box ticking exercise rather than an opportunity. However, there are clear benefits.
GDPR should be viewed as an enabler that will help your company protect personal data, so that in an event of a data breach the consequences are not as severe. The quality of the data processed will be improved and duplications removed.
GDPR isn’t something to be afraid of, instead, embrace it and your business will see the benefits.
Bruce Penson is managing director at Pro Drive IT