Looking at the changes in the data protection act coming into force next May, the whole way in which business is conducted is going to change. Previously businesses could email out against data, just as along as you had a “remove me” option. But this is no longer the case under the GDPR.
Unless your business has a defined business related need for the data, or has done business with the customer recently (there is still a grey area about what recently means) then the data record falls out of compliance, and must be deleted.
The only other option lies, either in the legal need to hold the data, or using something called “consent”. There are a short number of weeks left now, to contact all of those in the databases, and seek consent explicitly, or delete it from the business databases. Oh, and this includes paper based records as well. (OMG!). The best course is to define the data as business need, but consent must be used to cover the gaps where this is uncertain.
Consent must be sought and given in a defined category, not simply held for business purpose various. So, if a product service record, which is covered under the “legitimate business use” rules, were to become mixed with an opportunistic sales and marketing message, then this will be non-compliant. This could result in the ICO fining the business up to 4% of annual turnover.
Then there are suppliers to the business. Their sharing of non-compliant data could equally land an ICO fine on your business.
Each way turned presents a new barrier to previous methods of doing business. Things are certainly about to change, and not in a good way for my enthusiastic marketing team.
Traversing this minefield is not for the faint hearted, and connecting with both data and legal expertise would appear the only sensible way forwards. One slip could cost dear, and with the ICO being self-funding through fines, this is only a matter of time before the net closes.
One other thing that struck, this is not just a computer issue. It spreads throughout the business, touching supplier contracts, consultant and contractor arrangements, control of company processes and all things legal.
One more thing, this is not a single event centred around the 25th May 2018. This is a matter of culture and control. All of your staff need briefing and training, employee contracts need changing to reflect the GDPR and breaching consequences, and all marketing teams need to sit up and take note now, before time runs out.
GDPR could indeed kill your business, but if you get to compliance by May 25th your business will secure its place in your supply chains, customers will continue to place business, and the credentials of GDPR compliance is a powerful asset.
The world is changing, and the legal structure of GDPR means that opting out is not a real option if you want your business to exist in the future. There are real opportunities in GDPR for all businesses, and the strengthening of customer relations will only enhance your brand in the years ahead.
Act now, as time really is running out. Call RDS today on 0330 2211244 for fast friendly help, to get you to GDPR compliance, and allow you to make jubilant announcements to your supply chain of your good standing.