Price comparison website Moneysupermarket has been fined £80,000 ($103,000) by the Information Commissioners Office for sending more than seven million emails to people who had opted out of receiving its communications. http://www.bbc.co.uk/news/technology-40684579 Asking people to consent to future marketing messages when they have already opted out is against the law.
The EU General Data Protection Regulation (GDPR) comes into force in May 2018. The Regulation preserves the existing rights of individuals to object to direct marketing, but the rules for obtaining valid consent have been changed. The consent document should be laid out in simple terms. Where consent is the lawful basis for processing, the consent given must be clear and affirmative. Silence or inactivity do not constitute consent. Organisations that fail to comply with the Regulation can expect fines of up to 4% of annual global turnover or €20 million, whichever is higher.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
It is important to use this checklist and other Information Commissioner’s Office (ICO) resources to work out the main differences between the current law and the GDPR. The ICO is producing new guidance and other tools to assist you, as well as contributing to guidance that the Article 29 Working Party is producing at the European level. These are all available via the ICO’s Overview of the General Data Protection Regulation. The ICO is also working closely with trade associations and bodies representing the various sectors – you should also work closely with these bodies to share knowledge about implementation in your sector.
It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with all the areas listed in this document will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.
Preparing for the General Data Protection Regulation (GDPR)
Some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.
Prepare for GDPR or benefit from the UK Government backed Cyber Essentials Certification and stay one step ahead of your competition.
Contact our Cyber Security team today.