GDPR compliance is a significant issue for businesses of all sizes, as under the General Data Protection Regulation, much more control is given to consumers to determine how their data is stored and used.
That means, for example, that you can no longer market your services to past customers unless you have their express permission to be contacted in such a way – and that you must delete their contact details if and when they decide to revoke this permission.
But it’s an issue that goes far beyond just marketing, and affects how you store data about past customers, often in a way that appears to conflict with minimum data retention rules in regulated industries.
At present, we are in a phase where GDPR has already come into force, but businesses in general are being given a period of grace to iron out any remaining kinks – but that is not an excuse for complacency.
This time has been given to businesses to identify any remaining flaws in GDPR compliance, not to start from scratch having ignored the regulation up to this point, so whichever circumstance best describes you, make the most of this last chance to get up to speed.
What are the risks of GDPR non-compliance?
It’s hard to quantify the risks of GDPR non-compliance as yet, with this grace period in effect, but ultimately the financial sanctions will potentially be substantial, equating to 4% of your company’s annual global turnover or €20 million – whichever of the two is the higher amount.
There are reputational risks too. This is a headline-grabbing topic, and the first big fines are likely to receive large amounts of publicity, especially in the relevant trade press – so make sure you are not one of those who make headlines in this way.
On a smaller but ongoing scale, there’s a daily risk of appearing unreliable and untrustworthy if you don’t give your customers fair control over their data, or if you continue to market new products and services to them in a way that is not compliant with GDPR.
What to do about GDPR compliance
There are some steps you can take to improve your compliance with GDPR beyond just updating your data retention policy:
- Consider appointing a Data Protection Officer and setting up a dedicated GDPR team.
- Identify the incoming sources of data, how you store that data physically, and how you delete it.
- Check that you are obtaining consent to store and process data for specific purposes.
- Offer an equivalently easy way to request that data is deleted and no longer processed.
- Make sure you are not failing in any other regulatory duties if you delete an individual’s data.
GDPR is widely perceived as a large and complicated subject, and it is not one you can ignore; but the grace period before enforcement action begins in earnest is a last chance to catch up with other companies who have already made the necessary changes to their processes.