Almost half of UK business owners are braced for a GDPR non-compliance penalty ahead of the 25 May deadline, new survey findings have found, with private enterprises struggling to agree on internal accountability.
Later this month, the government’s data protection bill will introduce new consumer consent requirements for businesses to adhere to. Essentially, customers must explicitly opt-in to share their personal data with a company.
According to new research into data governance attitudes ahead of GDPR, undertaken by data privacy firm Ensighten, 45 per cent of company owners have set money aside in anticipation of a GDPR fine.
Meanwhile, 61 per cent of survey respondents would apply for an extension to the deadline if they could, highlighting a potentially worrying lack of organisation among UK businesses.
Commenting on the findings, Ian Woolley, Ensighten CEO, said that business owners remained “aware, but still uncertain” in the final month of GDPR preparation.
“The good news is that brands still have time to deploy and optimise customer privacy and consent options on their websites,” he added.
“Educating consumers on how their personal data is used and why their permission is needed is essential to building consumer trust and gaining their opt-in consent. GDPR is not just a legal hurdle to jump.
“Whilst brands are putting money aside for fines, they should not underestimate the damage to their reputation and business from not educating customers now.”
The Information Commissioner’s Office (ICO) has the power to fine a non-compliant company up to £17m, or four per cent of annual turnover, whichever is higher.
However, the value of a penalty is not always pre-determined and the behaviour of an organisation can be taken into account. For example, if a culture of data protection is evident, as well as evident steps taken towards compliance.
Following confirmation that on-demand taxi app Uber concealed a data breach affecting 57m of its users, legal experts have suggested the company would have faced the harshest penalties of incoming data protection rules in 2018.
One of the reasons firms seem unprepared for GDPR, the study found, could be the lack of consensus over who is responsible for data protection within a business.
Almost a third of respondents said it should lie with the CEO, but one in four wanted to hand GDPR over to the chief data officer. Just 22 per cent believed responsibility should lie with the chief marketing officer.
GDPR countdown: What businesses need to do right now
Over the last year, our experts have been helping small business owners get their house in order ahead of GDPR. Here are their essential tips.
Undertake an organisation-wide data audit
Ryan Wain, chief marketing officer at Unlimited Group, advised decision makers to undertake a full audit on data held by a business.
“Distinguish between personal and non-personal data, identify its use, the processes applied to it and the legal considerations. This does not have to mean line-by-line data analysis – where they can be, different data sets can be grouped together,” Wain explained.
“Inevitably, you will find data that’s years’ old and no longer needed. If you decide this poses a compliance risk, deleting it delivers immediate benefits.”
Following this, Wain advised owners to delete old data, catalogue the results and then fill in the gaps.
He added: “Possibly the most important consideration is to avoid viewing GDPR compliance as a process with a hard and fast end point. Rather, it will be an on-going journey as you gather and process new data moving forward.”
Collecting customer information under GDPR
What are retailers permitted to do with the email addresses and customer information handed over by shoppers at checkouts? Charlotte Ebbutt and Malcolm Gregory, from law firm Royds Withy King, explain the rules.
“Email addresses collected at the point of sale are considered personal data under current data protection regulations and under the GDPR. The rules state that data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’
“This means that if an email address is given for the purpose of receiving an e-receipt, it must only be used for that purpose. A retailer cannot then use that customer information for marketing or any other purpose. Once the receipt has been sent the email address should be deleted, as the regulations do not allow for the unnecessary storage of personal data.
“If a retailer wishes to use email addresses gathered at the point of sale for subsequent direct marketing this must be ‘explicitly brought to the attention of the customer’ and presented ‘clearly and separately from any other information’.”
Handling employee data
Even when Britain leaves the EU, data relating to EU citizens will still be under the remit of GDPR.
If you are processing data related to EU citizens, your business or organisation will still be under the remit of GDPR. Post-Brexit, it remains to be seen if UK citizens will be included in this remit. However, the wise thing to do now is prepare to process all data using these new regulations.
Final takeaways to become GDPR-compliant
- Request for consent must be intelligible – for sensitive personal data, users will have to “opt in” rather than “opt out”
- Individuals must have the right to access data
- Individuals must have the right to withdraw consent and prevent further dissemination of data
- Those concerned must be notified of a security breach
Sign up to our newsletter to get the latest from Business Advice.