GDPR: A watershed moment for customer data laws

Months after the momentous Brexit decision, the reality of how exiting the EU will impact the future of businesses in the UK is still a little murky to say the least. Each day brings new headlines and rumblings about companies relocating overseas, the precarious pound and rising import costs, but the general consensus is that the pace of change will be glacial over the coming years.

However, the business community faces a significant landmark with the introduction of the General Data Protection Regulation (GDPR) in 2018. This new legislation will replace the long-standing Data Protection Act 1998 and introduce stricter rules on how businesses process personal customer data. So, what do companies need to know, and how is the customer experience going to change?

General Data Protection Regulation – the key points

In essence, the rules will introduce stricter requirements around when brands and businesses can use data. This means they will need to be clearer about the information they are requesting from customers and how they will use it. Confusing contracts and terms and conditions will no longer be an option. Companies will need to provide transparency at all stages during the collection of customer data to ensure consent is given unambiguously. An ‘opt-out’ box will also be introduced which will give customers greater control over the information they share with organisations.

Another important change is increased accountability. Strict penalties will be introduced to businesses that breach the new legislation, with the maximum fine increasing from £500,000 to €20m or 4% of global turnover for the most serious incidents. Customer data breach are already taken extremely seriously, and businesses will face hefty fines if they are proven to be negligent. A recent example is TalkTalk, which was recently hit with a record £400,000 fine by the Information Commissioner’s Office for failing to protect the personal data of 156,959 customers from a cyber attack.

The Act will apply to both processors and controllers of customer data, so those businesses which are currently regulated by the UK Data Protection Act are likely to be affected by the GDPR. Significantly, the rules will be imposed across Europe, building a harmonised data protection regime that impacts not only on companies based in the EU but also those that want to do business here.

How will the GDPR impact the UK?

The Secretary of State Karen Bradley MP announced this week that, as the UK will still be a member of the EU in May 2018, it will be ‘opting in’ to the GDPR and will “then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

A key lesson here for businesses is they will face greater scrutiny on how they manage customer data. Although it will be some time until it is understood exactly how the UK will adopt the GDPR, at the very least, businesses working with EU countries will need to abide by the legislation as it applies to the management of customer data flowing both in and out.

Of course, cross-border data control is not a new topic. The debate on the transfer of European citizens’ data to the US recently hit a speedbump when the European Court of Justice ruled that the ‘safe harbour’ agreement is no longer valid. The inherent contradiction between national borders and data held on servers internationally means that negotiations to find a solution are always likely to be slow and complex.

Giving power back to customers

Ultimately, what the GDPR, and the legislation before it, are established to do is protect the way businesses collect, store and use customer data. I therefore urge companies to be prepared and review the way they store and use customer data now to ensure they will comply with the new legislation when it is implemented.

The introduction of GDPR also addresses the fact that customers want more transparency when communicating with businesses. They want to know that when they provide their address, phone number and other personal information that it’s being used in the right way.  Of course, the collection of data is integral to customer-facing businesses in order to build a full profile of their customers and enable them to offer a seamless experience. A good customer experience is not a trivial issue – an Accenture report found 52% of consumers have switched providers due to poor customer service.

In the digital age where businesses can now store more customer information than ever before, data protection laws will continue to evolve to set clear rules and boundaries. It’s crucial that businesses ensure their infrastructure (and employees) are set up to comply with the changes. Organisations should have the freedom to implement the systems and architectures that best address their needs for security and data integration – whilst always remaining compliant with legislation.

How the UK is impacted by the GDPR will continue to feature in the news over the coming months, and I urge businesses to keep abreast of the latest news and developments to make sure they are fully prepared to make the required changes.