According to recent surveys, over 50% of businesses are not ready for GDPR. A staggering amount. Why so high? Brexit perhaps? This isn’t going to influence the government’s plans on implementing the new regulation. Another plausible explanation could be the belief this will not be applicable to all organisations. Which couldn’t be further from the truth. To clarify, GDPR will apply to ALL data controllers and processors. A data controller is any person, or entity, who determines the purpose(s) for, and the manner in which personal data will be processed. A data processor is any person, or entity, who processes personal data on behalf of the data controller. Thus, applying to anyone holding personal data for professional purposes. This means it’s not just the major corporations which will be responsible, but all SMEs, and any bloggers hosting giveaways, will have to abide by the rules too.
A deep concern of mine is that employees are not been fully trained in data protection, let alone GDPR. As we have seen this year, with the NHS cyber-attack, Yahoo! and TalkTalk once again getting into trouble, cyber-hacking is an extreme concern, these cases proving so many companies have not yet set up an adequate level of protection. We have numerous times, and still to this day, been asked whether we can send and receive unprotected data via email, whether this be for the purposes of conducting a draw, or prize fulfilment. This is an ultimate no; data must always be encrypted. Simple passwords such as 1234 do not work either. There must be a range of uppercase/lowercase letters, numbers and special characters, with the information stored only on a secure server, with access granted solely to those who need it to fulfil the specific purpose(s). No desktops. And don’t get me started on BYODs (Bring Your Own Devices).
Another issue I believe members of staff do not quite grasp, and which we have also seen, is consent. Consent must always be freely given by individuals, via a clear, affirmable action. Weekly emails about your business’s latest offers cannot be sent to any prize draw entrants who have not opted in to receive them in the first place. And here is where I think corporations will get into trouble. We are often asked if we can provide data to be used for a purpose which wasn’t set out in the first place. And the number of websites I have visited which still provide opt-out or pre-ticked boxes is disconcerting. The only compliant way moving forward will be via a positive opt-in, for instance providing entrants with a box to tick, setting out any intention(s) for which you would like to use their data post-promotion.
I also suspect the fear of significant budgetary implications for the restructuration of procedures is off-putting. But, as our Prizeology motto goes, if you think compliance is expensive, try non-compliance. Currently, under the Data Protection Act the maximum fine is £500,000. If found in breach under GDPR, fines of up to €20 million euros or 4% of global annual turnover, (whichever’s greatest) may be awarded.
Now this is an absolute maximum. Any penalties would be considered on a case-by-case basis and would take a number of elements into consideration, such as the nature of the breach, how many subjects were affected and any previous infringements by the data controller or processor. The ICO has declared that they do not wish to make an example of anyone simply to provide a monetary penalty. The cost however to your company’s credibility and reputation could be consequential. Ultimately, it is also about accountability, and ensuring that you take your customers’ personal data close to heart.
25 May 2018. This is the date upon which the General Data Protection Regulation (GDPR) will take effect in the UK, with new rules on ensuring the secure collection, storage, usage and deletion of personal data. 6 months may seem like a comfortable amount of time left to start preparing, but in fact it’s not. 2017 is almost over, and before you know it spring will be upon us. If you haven’t yet reviewed your process, now is really the time to do so.
© Prizeology and The Prizeologist Blog, 2018. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited.