Prepping your business for the new data protection laws

1 October, 2017

Upcoming changes in data protection will affect all businesses as Elliot Fry, a commercial solicitor at law firm Cripps Pemberton Greenish, explains.


In May next year, the EU’s General Data Protection Regulation (GDPR) will come into force. The GDPR applies to all personal data, which is any information relating to an identified, or identifiable individual, including employees and people acting in a business capacity, meaning all businesses will be affected.


There are also potential specific changes in relation to email marketing, which could significantly impact B2B approaches to new prospects. While those changes have not been finalised, the effect could be that businesses will only be permitted to send marketing emails to new prospects if they have requested or given their explicit consent.


It should also be noted the GDPR comes into force pre-Brexit, but the UK Government has already published a statement of intent around implementing a domesticated version post-Brexit. The UK intends to keep pace with EU data protection law, meaning the GDPR is here to stay.


Why should I care?

As well as investigation, ‘naming and shaming’ and bad publicity, businesses could face eye-watering fines of up to four per cent of global turnover, or (if higher) €20m or £17m. Planned UK legislation will also include criminal offences for certain breaches.


Even businesses which don’t hold customer data can be affected, as leaks of employee data can have significant consequences (and lead to group legal action from affected employees).


What do I do?

The first step towards compliance should be a full, detailed mapping of all personal data the business uses, including how it enters, moves around, and exits the organisation. This involves all levels of the business (including HR, marketing, and IT) to produce an accurate picture of personal data use. From that, areas of risk or non-compliance can be identified. In particular, every use of personal data must be lawful, and the security measures which apply to such data must be appropriate.


Where businesses rely on consent to justify use of personal data, that consent needs to be freely given, informed, specific and unambiguous. It should also be recorded to ensure an audit trail of compliance.


Circumstances where personal data is shared with other organisations also need reviewing to ensure the disclosure is compliant. Specific contractual obligations may be needed, as well as due diligence regarding the recipient’s security measures.


Individuals have a right to be informed about how their personal data is used, as well as their legal rights, so internal and external privacy notices will be needed.


Businesses should also prepare for potential new requests from individuals regarding their personal data, as the GDPR expands the rights individuals have on this front. New obligations are also being introduced which require notifications to the UK’s Information Commissioner’s Office, and potentially to the individuals affected, in the case of certain data security breaches.


Key Points

GDPR will affect all organisations. While the changes to B2B marketing aren’t yet certain, businesses can and should start preparing for the new legislation now. Key to this is obtaining a comprehensive understanding of the collection, use and disclosure of all personal data.

First published in B&I magazine on 1 September 2017.