This article, orginally published in February 2016, has been updated (October 2016) to reflect new developments…
The General Data Protection Regulation (GDPR) seeks to strengthen and unify data proection for indivdiuals within the EU, and also addreses export of that data outside of the EU. The idea is to bring together (well, almost) the fragmented implementation across the member states. The legislation is aimed at any organisation that monitors or stores commercial data – this includes all MR consultancies, recruiters, online providers, and data collectors.
The changes are significant and if you were affected before then you should be aware of these updates. Secondly becuase the regulation can impose fines of up to 4% of a company's turnover for breaches. Our decision toe leave the European Union will have very little impact as regards to data protection, so we need to gear up for these changes.
We have highlighted what we believe are the main facts but this is not a complete reference – please do your own research too to make sure you are familiar with the requirements. There is also some debate as to how some elements of the regulation will be applied – this is a movable feast so it is worth while keeping an eye on things.
- Now applies to any organistion based within the EU, as well as those outside of the EU if they process personal data of EU residents
- Comes into enforcement in 2018
- Individuals are being given more control over how their data is used (this includes full, up front disclosure and consent) and how long it will be kept for. They also have a right to be forgotten.
- Data must be portable between service providers
- More transparency and easier to understand poliocies
- Regulation takes a risk based approach
- Sanctions range from a written warning right up to financial penalities
SMEs do attract special treatment under the legislation, and the burden of complience is reduced. Notably you do not need to appoint a Data Protection Officer, have a lighter record keeping and impact assessment burden as well as reduced need to notify subjects of a data breach. Equally, many of the provisions are about the privacy and rights of an indivdual – if the data is anonymised then the protections are not necessary – but there are also guidelines covering how this must be done.
This is a technical area, and the MRS has produced some useful guidance (as well as a video from the ICO) as to its potential impact for MR companies. Below you will find links to this, and other useful resources.
- MRS summary of GDPR for MR
- MRS Fair Data principles
- ESOMAR summary of the impact of the regulation for MR
- Wikipedia summary of GDPR
- Griffin House consultancy linked in group, Data Protection 4U, which posts developements in real time
So what should we do to prepare? The easiest route is to become an MRS certified member and take up the MRS Company Partner Accreditation sole trader package – its FREE for ICG members. After this look at becoming Data Protection compliant through an established process, which the MRS is going to offer as a service. In this regard, the MRS plans to have discussions with the ICG to make this affordable for independents.
If you have any further questions please contact Harriet Walsh at the MRS (harriet.walsh@mrs.org.uk).