On May 25th 2018, a new regulation concerning privacy comes into effect. This new rule called the General Data Protection Regulation, or GDPR, will be implemented across all EU and EEA member states.

The GDPR will apply to all businesses that store personal information about citizens in Europe, even if the company itself is based in another continent. The idea of the new regulation is to provide EU and EEA citizens with greater controls over their own personal data and should help to provide assurances that information of a personal nature is being securely protected.

What types of data will be impacted?

The GDPR directive states that “personal data” is any information relating to a person, included (but not limited to) names, photographs, email addresses, bank details, social networking posts, location details, medical information, computer IP addresses and biometric data.

The legislation makes no distinction between personal data in private, public or business roles – personal data is exactly that: personal. For example, in business-to-business settings, customers may be companies, but at the heart of every transaction or deal is an interpersonal relationship concerning individuals.

What rights will individuals have under the new legislation

Under the General Data Protection Regulation, EU and EEA citizens will have:

1) The right to access personal data and enquire about how their data is used by a company after it has been gathered. Companies will be required under law to provide a copy of any personal data free-of-charge, in an electronic format if required.

2) The right to be forgotten. Ex-customers or those who withdraw consent for their data to be used/stored have the right for information pertaining to them to be deleted.

3) The right to portability of data, meaning that individuals can request that their data is transferred from one service provider to another, in a commonly-used, machine-readable format.

4) The right to be kept informed. Individuals must be notified before any data relating to them is gathered – consent must be freely given and is not implied.

5) The right to correct erroneous details. Individuals can demand that incorrect or incomplete data is updated.

6) The right to restrict processing. Customers can request that their records remain in place, but are not used.

7) The right to object. This allows individuals to put a stop to personal data use for direct marketing purposes, without exemption. Individuals should also be made aware of this right at the beginning of any communication.

8) The right to notification. In the event of a data breach, all concerned individuals should be informed within 72 hours of the breach taking place.

What will the GDPR mean for small-medium businesses?

The new legislation effectively puts the consumer in the driving seat, passing the task of regulating data solely to businesses. Businesses who flout GDPR directives could face tough penalties including a fine of up to 4% of annual revenue.

Ultimately, this means that companies which handle or process personal data should consider assigning the role of data protection officer or controller to an employee in order to delegate responsibility for GDPR compliance.

What departments are likely to be affected?

It’s a common misconception that GDPR legislation is simply an IT issue. Sales, marketing and customer service activities typically rely on CRM systems as a backbone for storing customer information and helping to target leads – and with GDPR, customer engagement is about to change.

Record-keeping will almost certainly become more complex as companies become responsible for providing documentary evidence that customers have opted in to receiving marketing communications, and increased regulation of the storage and backup of personal data means greater care needs to be taken by administrative staff to prevent theft or loss of customer records – proof positive that the GDPR will impact multiple departments in equal measure.