From 25 May 2018, the General Data Protection Regulation (GDPR) will apply in the UK, replacing the current Data Protection Act.
As well as modernising the current laws surrounding data protection, it will also introduce a tiered approach to fines for those who fail to comply with the new rules. Joanne Smith, chief executive of consultancy TCC Group, said: “The main surprise to small business owners may be the vastly increased level of fines for noncompliance.”
Under GDPR, the Information Commissioner’s Office (ICO) can issue fines for some infringements of up to four per cent of global turnover, or 20 million euros, whichever is higher. Comparatively, current rules mean the ICO has the power to charge just £500,000 for serious breaches.
Businesses will also be required to keep a thorough record of how and when an individual gives consent to be contacted, which can no longer be inferred from a pre-ticked box.
Likewise, this means that if you’ve purchased a list of potential customers, you must ensure the database comes with similar documentation.
Individuals must also be able to withdraw consent at any time, and businesses must respond by permanently erasing their data.
These are just a few measures which will significantly change the way businesses market their products and interact with consumers.
Ms Smith added: “GDPR delineates the roles and responsibilities of controllers and processors, with joint liability for data-protection breaches. Any small business that processes data for a client firm may have to demonstrate they have appropriate data-processing controls in place and they comply with the GDPR.”
Last week, national pub-chain Wetherspoons revealed that it deleted its entire email mailing list – estimated to be around 656,723 addresses – in preparation for the GDPR.