What is GDPR and why is it necessary?

4 October 2017

Put simply, GDPR implementation gives EU citizens more control of their personal data and how it’s used. Current legislation was created pre-internet and with technological advancements data has become more at risk from exploitation.

Currently the UK operates under the Data Protection Directive, which allows a ‘soft’ opt-in approach for data collected from customers and prospects, like taking details at POS, offering e-receipts, website checkboxes… even business card exchanges count as soft opt-ins, allowing businesses to market to contacts. Under GDPR the soft opt-in fails compliance.

With the new legislation, an email process – double opt-in – will become essential to retailers and suppliers looking to continue marketing from May 2018.

The two-step process requires clarity and unambiguity about why a person’s details are taken, and clarity for that person that they’re opting into marketing. An email should be sent to confirm consent.

The EU GDPR makes it explicitly clear that consent has to be provable. Businesses must keep a record of opted-in subscribers so that they can provide proof of consent and any on-going engagement.

GDPR defines 'personal data' as any stored/collected data that could potentially identify an individual.

The main GDPR intentions are:

• The right to be forgotten

• Easier access to data stored about yourself

• Right to know when your data has been hacked

• Right to data portability

• Security by design and default

• Stronger enforcement of the rules

What do companies need to do?

Make sure that staff are GDPR-aware – anyone who takes customer details

expresses the company’s intent clearly, regarding what will happen with the data.

It’s recommended that businesses implement an information audit, detailing what personal information is being held, where and how it was collected and where it is shared, and who has access to it.

Who does it affect?

GDPR affects anyone running a business where any data is stored about individuals. It imposes direct obligations on organisations and defines the rights of people to access information related to stored or processed personal data. However, the legislation’s fundamental principles come from the Data Protection Act (1998), so any information gathered under the DPA will still be valid under GDPR.

Do I need specialist help?

Redbok’s nine-step guide to GDPR compliance should help most businesses, however, larger companies may need to consult a specialist in company policy and training.

Consultants such as Michael Hoare, former NAG CEO, can deliver key strategic advice about implementing data collection policies. “The impacts on business cannot be ignored,” he says.

“The delays and uncertainty surrounding the implementation may have led some businesses to believe that it would never come into force, and if it did its impact would only be felt in big companies.

“Not the case. So many businesses, large and small, now rely on online marketing and trading for the bulk of their business that the impact will be felt across the board.

Those with marketing data acquired over time and from multiple sources – often SMEs – will face a particular challenge, and won’t always have the resources inhouse to ensure their compliance, or that of any third-party processors.”

If your existing database is not GDPR compliant, and whether you do or don’t use it, you should consider going through a resubmission process to get permission from your customers to keep marketing to them and to keep their personal data.

The new opt-in is not forever! Redblok offers a resubmission service starting from £995 and monthly subscription services from £49.50 per month, for contentious engagement with customers through the year.

What are the implications of missing the 25th May 2018 deadline?

It is each organisation’s responsibility to inform the data protection authority of any breaches that occur and individuals’ rights and freedom within 72 hours of identification. The Information Commissioner's Office (ICO) is the UK authority.

Within this time frame, you’re required to inform all individuals of the data breach and contact the ICO outlining what data is affected, approximately how many individuals are affected, what the consequences could be and what actions you have put into place or have planned.

Failing to meet the strict 72-hour deadline could lead to a penalty of up to two percent of your annual worldwide revenue, or €10m, whichever is higher.

Currently, the ICO fines issued have a maximum penalty of £500,000, if however, the recently issued GDPR fines are adjusted, penalties are much greater for getting data protection wrong. TalkTalk's record £400,000 fine, under GDPR would actually total £59m. The DPA can issue penalties up to €20m or four percent of global annual turnover, whichever is greater.

For the full GDPR article and a nine-step guide to compliance, visit: redblok.co.uk


Return to news listings


© 2017
The National Association of Jewellers
Head Office: Federation House
10 Vyse Street
Birmingham, B18 6LT, UK

London Office: 45 Britton Street, London EC1M 5NA

Birmingham Office: 0121 237 1110
London Office: 020 7613 4445
General enquries: info@naj.co.uk
Education queries: education@naj.co.uk