An Organisation for all
Accountants in Practice

GDPR has landed! So what now?

Vantage Protect

By Qtac Payroll

The day that every business was dreading finally arrived, the data protection D-Day came and went on Friday 25th May and despite the GDPR hype hitting inboxes across the country the world didn’t come to an end.

Now that the deadline has passed we take a look at the impact of the changes so far and consider what in reality will change for businesses in the next few months.

There has already been a flurry of data being released which makes some interesting reading, including:

  • Research conducted by the Chartered Institute of Marketing (CIM) highlights that of the consumers that were polled, 48% still lacked an understanding of how organisations use their personal data. An increase from 31% since conducting the same research two years ago.
  • Only 41% of individuals polled are aware of the new regulations, demonstrating that despite the hype there is still a lack of understanding of what the new regulations mean for people, and what their rights now are.
  • When looking at businesses themselves, research commissioned by Cybersecurity Insiders found that only 7% surveyed confirmed that they were fully compliant in time for the deadline. As with consumers of those surveyed 25% admitted having no or limited knowledge of the new law.  The full report from Alert Logic is available here.

So despite the pre-deadline hype and activity it seems that there is still a way to go to get the legislation fully implemented and understood.

Large brands become the first targets of GDPR

It was probably inevitable that major brands would be amongst the first targets for the regulators and within hours of the deadline Facebook, Instagram, WhatsApp and Google become the first brands to hit the headlines.

European consumer rights organisation Noyb has filed a complaint against these organisations citing that their new terms of service do not comply with GDPR as they did not allow users to provide consent freely.  If the complaint proceeds, it could result in fines of more than £3bn.

Certainly the press about the size of potential fines has struck fear amongst many small businesses who would be unable to pay the level of fines being discussed.  However Elizabeth Denham, the Information Commissioner, spoke to BBC Radio 4 on the 25th of May and confirmed that small businesses which did not make extensive use of customer data would not come under close scrutiny.

She was also keen to make it clear that the ICO are not on the hunt to persecute any misdemeanour in regards to the new regulations.

Does it mean small businesses are off the hook? No but it does relieve concern that as long as businesses are taking steps to protect the data they hold the ICO will be sympathetic towards them.  It’s organisations who are ignorant of or deliberately disregarding data protection that need to be wary.

What’s Next?

It is clear that there is still a way to go for businesses and consumers alike to get to grips with the changes fully and there are certainly likely to be further high profile stories hitting the headlines over the forthcoming months.

The GDPR will continue to evolve with another set of regulation on the horizon in the form of the updated Privacy and Electronic Communications Regulations (PECR), data protection is going to be a hot topic for a considerable time to come.

PECR sits alongside GDPR and governs e-privacy rules.  No official news has yet been circulated explaining how PECR could be updated following GDPR, so we will have to wait to find out how these changes could affect email and SMS communications.

Remember it’s not just a marketing issue

The focus in the run up to the 25th May was very much on the handling of marketing data with consent emails landing in inboxes across the country by the 100s.  However, what shouldn’t be forgotten is that GDPR covers more than just the personal data held by a business on its customers.  Employee data falls within the regulations too, something that many businesses appear to have missed.  Storing and sending salary and other personal information on employees (including payslips) needs to fully comply with the legislation and employees need to be communicated too and consent obtained.