It’s only 11 months until the European Union’s General Data Protection Regulations come into force (25th May 2018).
Our webinar this week is taking a look at how you can start your planning process for GDPR.
First though, here is a rundown of our 5 most frequently asked questions. If any of this is new to you, or this is as far as your knowledge already goes, please do join us on Thursday!
What is The EU GDPR?
Standing for The General Data Protection Regulations, GDPR is the EU’s regulation of data processing for its citizens. It applies to every country holding and using data of EU members and replaces the inconsistent and out of date approaches of individual countries. It’s a binding legislative act that will replace a 20-year EU directive that first came into place when web technology was still very new. The GDPR will address security vulnerabilities that have arisen due to the digital lives we all now lead. The big aim is to enable a secure flow of data that individuals have greater control and visibility over by improving consent processes.
The GDPR applies to organisations located within the EU as well as businesses out-with, that supply goods or services to (or monitor the behaviour of) EU data subjects. It’s important to remember that this isn’t just about you and your systems. Your suppliers will also need to play by the rules or you could still be fined.
Does it apply to my business before and after Brexit?
Come May 2018, we’re still part of the EU. So it will apply to every UK business. After that, it makes sense to comply anyway. If you are selling goods or services to EU members/citizens then you need to meet your obligations. If you’re operating only within the UK, the UK government has said it will probably follow suit.
What are the main headlines?
Storage – You need to be able to clearly define what personal data is stored, how it’s collected and how it’s used.
Processes – Businesses will have to be able to provide evidence of what type of data processing is carried out, how data is used, the flow of data throughout and out-with the organisation, access to data and protections at each step.
Consent – Consent agreements must be separate, simple and dedicated and recorded against each customer. Double opt in’s will become the standard, opt-in boxes cannot be ticked by default, and soft opt-in’s will become a thing of the past. People must understand why they are giving permission and be able to revoke it easily (even that must be recorded back to the customer file). The ‘right to be forgotten’ falls into this category too. If your existing data meets the new consent rules, it should be fine. If you’re in doubt, you should inform your databases and give them their right to be deleted.
Privacy by design – Just as it sounds; data protection should be part of the foundation of designing data systems rather than an addition.
Data Protection Roles – Depending on your business, you may be required to appoint a Data Protection Officer (DPO) under the GDPR. Public bodies are included in this as well as businesses that carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking) and businesses that process large scale data relating to special categories. Regardless of whether or not you are obliged to appoint a DPO, you will need to ensure you have the staff numbers and understanding that you need to meet your GDPR obligations.
What’s the price of non-compliance?
Substantial. Technical related non-compliance e.g. impact assessments, breach notifications and certifications will attract fines up to an amount that is the GREATER of €10 million or 2% of global annual turnover (revenue). Key provision non-compliance will attract fines up to the GREATER of €20 million or 4% of global annual turnover. And that’s before we talk about reputational damage.
Data controllers within your business will be legally obliged to notify the Information Commissioner’s Office (ICO) of any data breach within 72 hours of its occurrence. Note that if you are a public authority or you regularly monitor data on a large scale, you will need to appoint a Data Protection Officer, something worth doing regardless.
Business v CRM Responsibility
The GDPR offers an opportunity for cleaner databases, better quality lead pipelines, lower cost per acquisition, more accurate forecasting and better ongoing CRM.
Your CRM system should meet GDPR standards by implementing privacy by design and default in build processes. However, it’s a joint responsibility. Whilst Microsoft (and we, as partners) should ensure your tech is GDPR compliant with access controls and privacy functions, you must also ensure your processes and people are also compliant. Dynamics 365 is already well prepared in its set up for GDPR so speak with your Microsoft Partner for further support and information.
Watch our essential GDPR webinar for more information.