It is now widely understood that a business that succeeds in developing a thriving online community will reap the rewards of high customer loyalty and brand credibility; it is an invaluable way to research the market, gain feedback and better understand the customer base. The more a business is able to learn about its customers and their likes and dislikes, the more able it is to cater for their specific needs, and create a more personalized experience for customers when they engage with the brand through either social networking or on the website itself.
What is perhaps less well understood however, is where businesses collect that data from and how they collect it, for this is as critical as the information that data provides. Not only are there legal and financial repercussions for getting it wrong, but customers themselves are increasingly aware of how companies collect user and marketing data and what it's used for.
Recent high-profile data hacks have resulted in customers becoming more interested in how their data is held, and more likely to demand reassurances that it is being kept securely. Customer concern about the use of the personal data they have shared, together with a legislative move towards greater protections for consumers and more privacy obligations for organisations, threatens to have major implications for businesses that are increasingly reliant on customer data for insight and targeted marketing.
Any business that currently collects personal data will have to comply with the requirements of the Data Protection Act (DPA) 1988. In May 2018, a new set of regulations will come into force on data privacy in the shape of the General Data Protection Regulation (GDPR). Even for companies that are confident that they are compliant with the DPA, the GDPR will bring big changes and make data protection compliance even more important.
Whilst the GDPR retains the basic principles of data protection law, there are some noteworthy changes. There will be tighter rules for processing personal information, enhanced rights for individuals, and direct obligations on data processors. It will be even more important to ascertain what is personally identifiable information and if the individuals have properly consented to its use. The GDPR requires that consent must be "freely given, specific, informed, and unambiguous," and articulated by a "clear affirmative action."
There is no room for complacency and businesses will no longer be able to rely on a pre-ticked box.
Other significant changes include the potential need for the appointment of a Data Protection Officer and the risk of large penalties (up to 4% of turnover or 20 million) for failure to comply with the GDPR. All organisations also have a duty to report certain types of data breach to their relevant supervisory authority within 72 hours, and in some cases, to the individuals affected without "undue delay." Failure to notify a breach when required to do so can also result in a significant fine up to 2% of turnover or 10 million.
With such significant financial penalties at stake, it is more important than ever that organisations review their privacy notices and policies, audit their consents, consider if they have any new obligations as a processor and prepare a data security breach plan.
Businesses need to ensure that they have robust policies, procedures and processes in place if they are to comply with new data protection - in short, they have to ensure that they are gathering and processing useful and legally compliant information. With the risk of heavy fines, potential reputational damage and the loss of customer confidence and trust associated with any inadvertent disclosure, nothing should be left to chance.