By now you will have probably already received about 30,000 requests from newsletter and subscription services to renew your allegiance with them under the new General Data Protection Regulation (GDPR) rules that come into force from 25 May.
Of course, I am exaggerating, it is likely to be closer to 29,900 requests, but you get the point. Everyone from your florist to your local car dealership will be in touch to check you are happy to keep receiving information from them.
Taking action
Doing nothing means you will be taken off their mailing lists, so you will not hear from them again. Therefore, it is a good time to thin out all of those email subscriptions you signed up to on a whim and wondered why you never got around to unsubscribing from them.
But if you do not take any action at all, then you could lose some of the information that you value, so action really is necessary if you want to keep hearing from them.
However, as an IFA, you also have a responsibility under the GDPR rules to ensure your own customers are happy to still hear from you. If you have not done anything about communicating with people on your mailing lists yet, then you should do. Sharpish.
The document relating to the implementation of this regulation is 88-pages long and the threat to you and your business is very real indeed if you do not implement the safeguards and then suffer a data breach as a result.
Failing to report a data breach to the Information Commissioners Office (ICO) within 72 hours of its discovery could result in a fine of up to €10m (£8.7m) or 2 per cent of your worldwide turnover – for many companies this is easily enough to shut them down.
For businesses, the primary GDPR change is around accountability, and that fact that you must show that you have actively implemented measures to safeguard the data that you hold.
The ICO website states that GDPR is “a new data protection principle that says organisations are responsible for, and must be able to demonstrate, compliance with the other principles”.
It adds: “Although these obligations were implicit in the Data Protection Act 1998 (1998 Act), the GDPR makes them explicit.” So, no longer would you be able to say that you thought you were doing the right thing, but actually you were not sure. It will no longer wash.
The ICO continues: “You now need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect people’s rights. Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and privacy by design, are now formally recognised and legally required in some circumstances.
“Organisations that already adopt a best practice approach to compliance with the 1998 Act should not find it too difficult to adapt to the new requirements.
“But you should review the measures you take to comply with the 1998 Act, update them for the GDPR if necessary, and stand ready to demonstrate your compliance under the GDPR.”
Whether you are a one-man band IFA, a small company or one of the largest firms in the land, you now need to prove that you are actively working to comply with the regulations, rather than simply registering for data protection status with the ICO and leaving it at that. By the way, you have all already done your ICO registration haven’t you? Just checking.
The focus on accountability under the GDPR now means that you have to have undertaken certain steps to be able to prove that you have considered the risks in relation to the protection of the personal data that you hold.
You also have to be able to show the steps you have taken to comply, which is trickier to solve unless you take a structured approach to your data processing.
Smaller organisations are likely to have a smaller scale approach to accountability than a large firm, according to the ICO, but it is explicit that even this should “ensure a good level of understanding and awareness of data protection among your staff; implement comprehensive but proportionate policies and procedures for handling personal data; and keep records of what you do and why”.
Opportunity
Since the legislation soon comes into force, time is now seriously ticking for any firm that has not yet done anything about it. By the time you read this, you will have a maximum of two to three days left to ensure you comply before the deadline.
So, it is vital not to sit on your hands, but instead get in touch with your customers and make sure they are happy to keep in touch with you. You may even find that it brings in some new business from those you have not had direct contact with for some time.
Alison Steed is a freelance journalist
