Regulation 

Finding ways to connect

Alison Steed

Alison Steed

By now you will have probably already received about 30,000 requests from newsletter and subscription services to renew your allegiance with them under the new General Data Protection Regulation (GDPR) rules that come into force from 25 May. 

Of course, I am exaggerating, it is likely to be closer to 29,900 requests, but you get the point. Everyone from your florist to your local car dealership will be in touch to check you are happy to keep receiving information from them. 

Taking action 

Doing nothing means you will be taken off their mailing lists, so you will not hear from them again. Therefore, it is a good time to thin out all of those email subscriptions you signed up to on a whim and wondered why you never got around to unsubscribing from them. 

But if you do not take any action at all, then you could lose some of the information that you value, so action really is necessary if you want to keep hearing from them.

However, as an IFA, you also have a responsibility under the GDPR rules to ensure your own customers are happy to still hear from you. If you have not done anything about communicating with people on your mailing lists yet, then you should do. Sharpish.

The document relating to the implementation of this regulation is 88-pages long and the threat to you and your business is very real indeed if you do not implement the safeguards and then suffer a data breach as a result. 

Failing to report a data breach to the Information Commissioners Office (ICO) within 72 hours of its discovery could result in a fine of up to €10m (£8.7m) or 2 per cent of your worldwide turnover – for many companies this is easily enough to shut them down. 

For businesses, the primary GDPR change is around accountability, and that fact that you must show that you have actively implemented measures to safeguard the data that you hold. 

The ICO website states that GDPR is “a new data protection principle that says organisations are responsible for, and must be able to demonstrate, compliance with the other principles”. 

It adds: “Although these obligations were implicit in the Data Protection Act 1998 (1998 Act), the GDPR makes them explicit.” So, no longer would you be able to say that you thought you were doing the right thing, but actually you were not sure. It will no longer wash.

The ICO continues: “You now need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect people’s rights. Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and privacy by design, are now formally recognised and legally required in some circumstances.

“Organisations that already adopt a best practice approach to compliance with the 1998 Act should not find it too difficult to adapt to the new requirements. 

“But you should review the measures you take to comply with the 1998 Act, update them for the GDPR if necessary, and stand ready to demonstrate your compliance under the GDPR.”

Comments