Olivia Carass

Posted by:

Olivia Carass

View all articles

GDPR is upon us and we wanted to let you know what happens now. What could you be fined for and how can you avoid it?

The anticipation is over. We’ve been going on about it for months on end now and it’s finally here. No doubt your email inboxes have been overflowing over the past few weeks inviting you to ‘opt in’ or ‘miss out’. Our privacy policy is all set up and we hope that yours is too.

The 25th of May 2018 marks the first day of GDPR. If you don’t know what GDPR is by now then we’re not sure where you’ve been but here’s some background info: General Data Protection Regulation is a law being implemented by the European Union. GDPR will replace all previous data protection laws in place beforehand. It will regulate how data is handled, kept and interchanged.

If your business resides within the EU or does business in the EU at all then it will have to comply with GDPR. The kind of personal data that is covered encompasses your basic identity information, web data, ethnicity, sexual orientation, health and political opinions.

If you and your company don’t adhere to GDPR then you could be fined up to 20 million Euros or 4% of your company’s turnover. With such steep fines in store for those who break this law it’s imperative that you have a comprehensive privacy and cookie policy in place.

As well as having these policies ready to go you should also make sure that if you have an email list set up that those users who are currently receiving your emails agree to keep receiving them by opting in. If your customers do not opt in then you cannot continue sending them email campaigns. This could potentially be a big knockback for those businesses who do not decide how to effectively persuade their customers to stay on their email list.

It’s also important to bear in mind that your customers need to be forgotten if they so wish. You should have a process ready to remove a user from your records if it’s requested, you might run into trouble later on if you do not.

If a data breach actually takes place then your next step would be to report it to the Information Commissioner’s Office for UK organisations within 72 hours. It is important to stress here that it is your responsibility to report data breaches not your customers. If you fail to meet this deadline of 72 hours then you could receive a penalty of 2% of your turnover or 10 million Euros. However, this only applies if the breach will result in a risk to people’s rights and freedoms. Regardless, you should inform any people affected by this data breach.

The bottom line is to make sure that you are clear and explicit with those who will use your site and/or purchase your products when it comes to how their data is being handled.

At this point we’re really hope that you’re reading this blog post and thinking “Thanks, Core but I already know all of this.” If that’s the case then great!

If not, then we’ll leave you with this; ‘Don’t panic!’. What we mean is that although these measures are paramount and should indeed be taken seriously, in reality it is highly unlikely that you will be slapped with a massive fine. If on day one you don’t have certain measures in place, it will be okay. As outlined above there is a process to any complaint and a large fine would require you to have actively ignored requests to fix a breach or remedy the situation.

What it does mean though is that getting a plan in place to address this eventuality is a priority.

If it all seems a bit too much or you’re struggling to get a handle on your data please get in touch with us and we’d be happy to help get your GDPR requirements in order.

Happy GDPR day!