This is the second of my series of blogs on GDPR (General Data Protection Regulation), which is designed to protect the personal data of EU citizens.
If you’ve read my first post you know that not complying with this upcoming directive could have very serious consequences, as non-compliance can be punished by as much as €20 million in fines, or up to 4% of your company’s total worldwide revenue for the preceding financial year – whichever is higher.
Don’t get caught out. GDPR comes into effect from May 25th, 2018 and will apply to all firms, regardless of location, that have clients in the EU.
You must start preparing now to ensure you comply. These are the main points you need to consider:
- Consent is essential. If you want to collect and use a client’s data – such as an email address or telephone number – you must have their explicit consent to do so.
- Be specific on how you use data. You can only use the data you have collected for specific purposes, such as sending marketing emails, and this consent can be withdrawn by a client at any time.
- Access must be given. Your clients have the right to access the information you hold about them. They also have the right to learn who within your organisation has access to their data, how it is accessed, the purpose of the access, where it is being accessed, and what categories of data are accessible.
- Deletion is a right. Your clients have the right to request deletion of personal data if they do not wish to allow its use.
- Corrections must be made. Your clients have the right to request corrections in personal data, if they believe it to be inaccurate, and can object to profiling that could result in discrimination against them.
In my next blog on this subject I’m going to look at what you must do within your company to abide by these rules and comply with GDPR.