An Overview of GDPR
The General Data Protection Regulations have created quite a stir over the last few months. The new GDPR is in effect from 25th May, and it replaces the Data Protection Act, which was introduced in 1998. The Data Protection Act was useful at the time, but the Internet has changed the way that we communicate and companies have so much more data on us now than they did a few decades ago. The intent of GDPR is to crack down on what companies are able to do with our data, to ensure that we have more privacy and control.
The GDPR regulations cover a lot of new areas, including:
1. Greater Territorial Reach
The regulations cover companies that are based outside of the EU, but that deal with customers that are inside the EU. Those companies were not covered by the Data Protection act, but will face restrictions under GDPR.
2. Clear Consent
Customers give clear, informed and unambiguous consent to have their data handled by a company. If the customer is not able to refuse consent without that being to their detriment, then the consent is not considered to be freely given, and a company may be in breach of the GDPR.
3. Privacy is the New Default
The GDPR puts a lot of emphasis on accountability. It requires that companies demonstrate compliance, and that they keep good records at all times, conducting impact assessment reports, and maintaining careful data protection practices at all times. Some things, such as data minimisation, are intended to ensure that the customer is always protected.
4. Keep Customers Informed
Data controllers are required to inform the Data Protection Authorities promptly if there is a breach discovered. In some cases, the requirement is for a notification to be sent out within 2 hours. Customers must be informed about what data is held about them, and be provided with information on how to manage their data.
5. The Right to Be Forgotten
The right to be forgotten is perhaps the most interesting and useful of the new rules. It means that a person can require that a company delete their data if there is no reason for a company to retain it. The company must inform any third parties that might have a copy of that customer’s data of the request, so it can be removed from their databases too.
The directive ensures that people feel in control of their data, and it helps to make companies plan properly and think about the risks that are associated with handling data. It reduces the likelihood of breaches occurring and ensures that if there is a breach then it will not be as damaging, because only essential data is being handled.
6. Those Re-consent Emails May Not Be Necessary
The re-consent emails that you have been getting from other companies may be unnecessary. Many companies are sending emails out asking people to re-consent to emails that they have already opted in to in the past. There is not really any need to do this. Your opt-in mailing lists are still valid, and will be valid after the GDPR deadline. If a company has been emailing customers who had not opted in, then they are doing something that is probably against the law anyway. If a company wishes to contact customers about contractual obligations or billing, then this falls into a different category to what GDPR is intended to cover.
Some companies are using GDPR as a chance to clean up their databases, and this makes sense. It’s a good opportunity to contact people and ask them to update their contact details or to remove themselves from emails that they don’t want to get. Beyond that, however, GDPR is not really something that most companies need to panic about; at least not in terms of maintaining a mailing list.
The main area where GDPR does matter is with the issue of what data you collect, going forward, and how long you hold it for. Now is a good time to consider how much information you hold about people. Do you really need to build up Facebook-level profiles of your customers and their interests if you sell accounting software? Is it necessary to pass on all of the information you hold about your customers to a third party that you are working with? Sometimes, less is more, and will help you to avoid getting a reputation as a spam company, or annoying your customers.
7. Your Obligations as a Business Owner
Every business owner that deals with customers on a regular basis is going to need to consider the implications of GDPR and communicate them to their customers. It is important that the company gets people to opt in to communications and that they provide them with clear explanations of how the data that is being collected will be handled. This is one area where a lot of companies struggle, especially if they have a lot of customers coming and going, or if they operate online and deal with customers from more than one country.
Since GDPR covers the whole of Europe, and also requires that companies from outside of Europe that target European customers are in compliance with it, it’s important that you provide your GDPR notifications in a way that your customers will be able to understand. This may mean having the notifications translated into multiple languages.
Do not use Google Translate for this. The wording of your GDPR notifications must be clear, concise and unambiguous. While Google Translate has some utility in terms of being a tool for reading blogs or communicating while on holiday, it is not up to the task of translating what could be called a legal document. Hiring a professional translator that has an understanding of the GDPR regulations will help to ensure that you get the best possible results, and that all of your customers, wherever they are from, understand what you will be doing with their data, and what their rights are.
Contact us today and we will provide you with a quote for our GDPR translation services within the hour.