What does your board need to know about GDPR?

GDPR25 May 2018. #GDPRday.

After months of preparation and discussion, it’s finally here. Today the General Data Protection Regulation comes into force.

The regulation now becomes ‘business as usual’. So, what does it actually mean?

How do your marketing and compliance practices need to change – and what role should the board play?

We round up the latest news and opinion as the regulation takes effect. 

Clarity on the requirements

One of the challenges around the new regulation – particularly in the early stages – was a lack of clarity around what exactly it means, and what organisations need to do to comply.

The Information Commissioner’s Office is the UK’s representative on the EU’s GDPR Working Party, and has been proactive in trying to clarify the requirements.

Some of the detail around the regulation was not released until fairly recently, making this a difficult job – but the ICO has tried throughout the preparation phase to cut through some of the uncertainty.

Its blogs and publications on the regulation have delivered ‘plain English’ explanations on what’s needed – a helpful resource.

Is GDPR as big a deal as we have been led to believe?

The new regulation has given rise to a wealth of law firms and others offering compliance advice and implementation support.

In some ways, the flurry of activity is similar to that around payment protection insurance claims – and with some commentators suggesting that data breaches will be the next PPI scandal it’s little wonder businesses are taking it seriously.

The penalties for non-compliance are significant - the ICO can impose fines of up to €20m (£18m), or 4% of the firm’s worldwide turnover, for firms that are seen to deliberately or continually fail to address data shortcomings. This is just one of the reasons we believe that GDPR is something the board should care about.

Making consent processes more robust

Getting compliant consent from individuals to ‘process’ (i.e. use) their data has been a huge focus of GDPR discussions.

Last week, the Information Commissioner’s Office published its final guidance on consent, setting out how consent differs under the new rules. The guidance compares the previous Data Protection Directive definition of consent with the GDPR one:

DP Directive definition:

“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

GDPR definition:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

It notes that while ‘the key elements of the consent definition remain…the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action’.

And that ‘this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements…In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.’

So – your contacts have more choice when they initially give consent and, in future, can expect to exert more control over how their data is managed.

Is it all about consent?

More robust consent is definitely a big feature of the new regulation. But it’s wrong to assume that GDPR compliance is all about getting compliant consent.

There are five other lawful bases for processing data – something that many firms seem to have woken up to fairly recently. In the past week or so, you’ve probably noticed that your in-box is full of emails focusing on privacy policies rather than on seeking consent.

If your firm is still seeking consent, it’s worth exploring whether one of the other bases is more appropriate for you. The ICO guidance has more on this.

Privacy panic

In a BBC News article titled ‘GDPR: the great privacy panic’, technology correspondent Rory Cellan-Jones today talks about the ‘increasingly frantic messages asking me to opt in’.

But he goes on to say that these emails may not be necessary – that maybe companies don’t ‘really need to send out a "click here or disappear" email, rather than the less radical approach of outlining their privacy policy and giving recipients the opportunity to unsubscribe from the mailing list’.

The danger with the consent approach, he says, is that while larger organisations may be acting on ‘expensive legal advice that this was the safe route to take’, smaller businesses may follow their lead, and ‘risk losing contact with customers who could be vital to their future’.

If you sit on the board of a smaller business, you may want to read our tips on how small businesses can overcome the GDPR challenge.

Today marks the start – not the end – of compliance

As the ICO said in a tweet today, ‘Today is not a deadline’. 25 May doesn’t mark the end of work on GDPR and enhanced data protection. Instead it’s the start of a new era in communication and data.

Elizabeth Denham, the Information Commissioner, has been in demand this week, responding to a surge of interest in the new rules. This morning she made an appearance on Radio Four’s Today programme; this week she has also published a new blog about the updated Data Protection Directive and its role alongside the GDPR.

What do boards need to do?

If you haven’t already, you need to think about how your firm’s marketing may change under GDPR. For instance, it’s predicted that it will increase the use of social media.

For regulated firms, in particular, this can create new challenges around meeting FCA standards for social media content. If this is something your firm is planning to do more of, find out how to minimise risk in your social media strategy.

You might also want to explore some of the efficiencies your firm, and particularly your Marketing team, can make to counteract the additional work the new regulation will bring.

A responsible approach to data

Central to complying with the GDPR requirements – and many of the other rules that regulated firms face – is creating a customer-focused culture. Embed a culture with compliance and fair treatment of customers at its heart and you will have a head start with any regulation aimed at improving the consumer experience.

This culture needs to start at the top – one reason why the board is so central. Demonstrate the behaviours you want to see across your organisation and they are more likely to be delivered. If this is something your firm struggles with, there is advice in our blog on Is your board failing on improving corporate culture.

You need to keep an eye on what’s new in culture, compliance and regulation if you want to steer your business in the right direction.

Keep an eye on the ICO’s regular blogs and GDPR microsite – both good sources of information. Staying abreast of any new thinking will help as the regulation becomes ‘business as usual’.

Of course, this isn’t the only regulation you need to comply with – and your time is in short supply. You need to make sure your board runs as efficiently as possible in order to keep on top of all your obligations.

To find out how to make your board more efficient, read our recent blog on the topic. You can also download a copy of our free whitepaper, Board portals – what’s in it for directors? to read more about how you can use technology to improve board efficiency and effectiveness. Read a copy here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action