The new General Data Protection Regulation (GDPR) came into force from 25 May 2018.
The aim of data use by businesses is to target advertising more efficiently. However, data users have not always explained how this works or allowed individuals to opt out. There is also a secondary market for this data where details are bought and sold without
the knowledge of the individual. So the
new regulations set more explicit duties for organisations that use personal data and that includes just about everyone.
This guide sets out the scope of the new GDPR regime and explains the practical steps that should be taken to ensure compliance.
Who is affected?
All organisations are affected if they collect personal data.
Personal data is any record that identifies an individual through name, address, or other contact details. This is a wide definition and shows why everyone needs to have an awareness of GDPR and how it affects their organisation.
The impact of GDPR will depend on the nature of the personal data held and why the organisation holds it. There are legal grounds for holding data and businesses that are already compliant with existing data protection law will have a head start in meeting the new rules.
Any organisation active in direct marketing should already follow data protection law. However, the new rules are more demanding so a number of organisations will have to consider data protection for the first time. For example, there are specific rules for records of children and vulnerable people so the education and health sectors are a particular focus.
The Information Commissioner’s Office (ICO) was set up in 1984.
It upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals
in response to concerns about direct marketing. It has evolved over time and has acquired the ability to issue large fines. Several companies have been under scrutiny for large scale data breaches, including T-mobile and Superdrug. Its remit covers all marketing channels including mail, telephone and email. There are two legally distinct areas of activity; Data Protection and the Privacy and Electronic
Enforcement and fines
GDPR has raised the existing ceiling for fines to €20,000,000 or 4% of worldwide turnover, whichever is
greater. Fines have been levied on Google at €50million (£44m) for a privacy violation,issued by the French data protection authority in January 2019.
Fines can be levied where:
• An organisation is actively misusing the data and, as the bar on compliance is being raised, previous practice cannot be relied upon
• There is a failure to maintain adequate controls against misuse or data loss. Data can be lost through hacking of websites or theft of IT equipment and a fine will follow if adequate precautions have not been taken
• If individual rights are not protected and that individual complains to the ICO.
Every organisation needs to understand their responsibilities under GDPR and then take steps to make sure they are
compliant by 25 May 2018 and beyond. We recommend addressing these six, simple, key issues: