The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and is intended to harmonise European data protection laws to meet the demands of the ‘big data’ era.
Why is the GDPR needed?
Data is no longer wholly stored in structured database as had been envisaged under current European privacy laws, but instead consists of unstructured electronic information across various media (emails, messages, photos, tweets, etc.) necessitating the introduction of a new legislative framework.
There has also been an explosion in the volume of data being created, with more data having been created over the past two years than in the entire history of the human race.
Data no longer respects national boundaries. Information now flows around the world seamlessly, instantaneously, and is often stored simultaneously across multiple locations.
Who will the GDPR apply to?
The GDPR will apply to any business, whether established inside or outside the EU, which offers goods and services to EU citizens or monitors their behaviour. Please note that the GDPR will not be materially affected in the event of Brexit.
What will stay the same?
The GDPR retains the core rules and principles of the Data Protection Directive, enshrined in UK law by the Data Protection Act 1998 (DPA), regulating the processing of personal data. (For more information about the DPA please see our Quick Guide on this subject, a copy of which can be found here).
The existing rights of individuals to access their own personal data; object to direct marketing; rectify inaccurate data; and challenge automated decisions made about them are all enshrined in the GDPR.
What is new?
Financial penalties: Fines may be levied to the higher of €20 million or 4% of annual worldwide turnover for data breaches. Individuals can also claim compensation from organisations for financial loss or distress suffered.
Accountability, Reporting Duties & Privacy Notices: Companies will need to demonstrate that they comply with the GDPR via accurate record-keeping. The extent of such records will depend upon the size of the organisation and level of risk having regard to the nature of data being processed.
Privacy notices must be concise and intelligible whilst containing specific information about individual’s rights and the nature of processing of their data. Businesses will need to report security breaches to affected citizens without undue delay and to their regulator within 72 hours.
New rights for individuals: New rights include the right to erasure of data, the right to data portability and the right to object to profiling activities.
Consent: Valid consent to process sensitive personal data will be more difficult to obtain and individuals must be able to withdraw their consent at any time. Consent from a child will only be valid if authorised by a parent.
Appointment of Data Protection Officer (DPO): Certain organisations will be obligated to appoint a DPO, however voluntary appointments may also be made. The role of DPO is expected to be at an executive level and will assume responsibility for meeting the GDPR obligations.
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice.
Please seek legal advice if you have any questions about the information set out above.
Can businesses still cold call under GDPR? The simple answer is "YES"
Since the regulations have taken effect, we’ve had many discussions with both existing and prospective clients to give assurance of what they can and cannot do under GDPR. In particular, whether they can use personal data to cold call individuals without explicit consent to continue to promote their products and services. The simple answer is YES. The new legislation does allow businesses to cold call but ensures this is done in a responsible way, only where there is a ‘Legitimate interest’ to so, and where the interests, rights and freedoms of the individual are protected.
Our commitment to GDPR
GDPR (General Data Protection Regulation) is the new EU regulation for protection of personal data and the greatest change in data protection regulation over the past 20 years. It will replace the 95/46/EC Directive for protection of personal data and will strengthen the rights that EU citizens have over their personal data.
Unique Telemarketing Solutions values privacy, for both our customers and our employees. We are committed to GDPR compliance and policies in place to ensure that we comply to the new regulations.
We evaluated all areas related to personal data in order to be compliant with GDPR:
Mapped and analysed all systems holding personal data to make all systems GDPR compliant.
Adjusted processes handling personal data – Services, IT, Sales, Marketing, HR to make processes holding personal data to be GDPR Ready.
Evaluated services where we process personal data for our customers to implement Data Processing Agreements where needed.
Evaluate vendors and sub-contractors to implement Data Processing Agreements where needed.
In parallel to the GDPR implementation, Unique Telemarketing Solutions has evaluated all data centres, offices and infrastructure based on ISO 27001 requirements for securing the best possible security of personal data.
We plan to continue our implementation of the regulations with regular audits.