Multi award-winning business lawyer Suzanne Dibble explains the GDPR Regulations and its impact on businesses
GDPR is super charging data protection laws. Data and its processing has changed a lot in the last 20 years since the last data protection act was brought into effect and it’s about time that the law caught up.
The Economist surmised that data is now the world’s most valuable asset and it’s not hard to see this in evidence – the recent Facebook and Cambridge Analytica case showing that data can influence elections and the future course of history.
So it’s only right that we have some serious sanctions introduced.
The maximum fine of €20m reflects the seriousness of data protection in this modern world.
However before you start running for the hills and thinking twice about continuing with your business, take comfort in the fact that these fines will be reserved for the most serious data breaches and non-compliance with GDPR.
The chances of you, as an independent retailer, being fined €20m or any significant amount is, in my view, as remote as Cliff Richard appearing on X Factor any time soon.
Comply with GDPR
Now that’s not to say that you shouldn’t take steps to comply with GDPR.
Indeed, it is those retailers who stick their heads in the sand that are likely to have complaints made against them and when the ICO investigate, the fact that you have ignored GDPR as irrelevant to you is not going to help your case.
As consumers become more savvy about data protection and GDPR with the upcoming ICO public awareness campaign, they are going to start asking you more questions about it.
Those retailers who are on top of GDPR and can show that they are interested in protecting their customer’s data will have a competitive advantage.
So what can you do to comply? One of the main principles of GDPR is transparency – telling people what you are going to do with their data.
The first thing to do is to carry out a data inventory. What data do you store? What do you do with it? Where did you get it from? Who do you share it with? What lawful ground of processing are you relying on to process it?
If you collect the personal data of customers and prospects in the shop, then you could think about displaying a privacy notice and directing people to that as they provide their details to you – again presenting this as a competitive advantage.
If you need to rely on consent as a lawful ground for processing data then make sure you offer genuine choice and control – no pre-ticked boxes, no bundled consent, no consent conditional for the service to be provided.
GDPR is a complex regulation but there are a few simple steps you can take to comply. I have outlined a few above, but if you want to know the full picture, then download my free checklist