Page 22

RCI Feb 2018

SIG ROOFING IN FOCUS New data rules will impact on all roofing businesses With the General Data Protection Regulation coming into force in May this year, Janine Brady, marketing manager at SIG Roofing, discusses the rules and how it will affect RCI readers The introduction of the General Data Protection Regulation (GDPR) in May will supersede current rules and, in a nutshell, they’re going to get tougher. There’s a lot of noise around the GDPR, so here are a few key points, which are by no means exhaustive and authoritative, but are pointers to help your roofing business get to grips with the new regulations. The GDPR gives individuals more meaningful control over their personal data, and it does this by strengthening the rights they already have over that data and adding a couple of new ones, as well as introducing measures to make companies accountable for what they do with personal data. This affects both employee data and customer data, and it’s not just about security – it’s also about being transparent with people about how their data is being used, and using it fairly. Keeping records The most important thing that you need to do is to have and maintain a clear picture of the personal data your business processes – where it’s held, why you hold it, what it’s used for, and who has access to it. This is important to show accountability, and that’s why record-keeping is going to become even more important. As well as a map of the data they process, you also need to make sure that you will be able to provide evidence to show that you’re handling data safely and appropriately. All businesses will need to undertake ‘privacy impact assessments’ before doing anything with personal data, and will need to make sure that data protection is considered from an early stage, rather than as an afterthought – you may need to prove this to a regulator one day, so they need to keep evidence. Your company must now have records of contracts with any third parties that process personal data on your behalf (e.g. mailing houses, server hosts, payroll providers, etc.), showing what data is shared with which companies, how it’s protected, where it’s located, and why it’s shared with them. A data protection officer Every company will need to appoint a data protection officer (DPO). They have to be allowed to carry out their roles independently, and can’t be given any other roles or duties where they might have a conflict of interest. The DPO doesn’t necessarily need to be employed, and, as we’re already seeing, there are a number of DPO consultants springing up who can fulfil the role as an outsourced service. Firms must consult their DPOs from the outset on all matters involving personal data, and must build privacy into new products and services (‘privacy by design and by default’). Marketing to customers When it comes to marketing activity and proactive communications (such as notifications that warranties are due to expire), GDPR is really tightening up the rules, and the issue of consent will become much more explicit. Consumers will have to actively opt-in to receive marketing and communications from your company. The old days of opt-out boxes (where you tick if you do not wish to receive information) are being outlawed, as implied consent, silence and/or a failure to respond will no longer be acceptable. From May, your business will have to use positive opt-in boxes (where the consumer indicates that they consent). Data Privacy notices for employees also become very important. Employees and subcontractors have the same rights as customers, and employers can no longer use consent as the basis for processing employee data (because there’s an imbalance of power, so consent can’t be freely given). Therefore, companies need to have another legal basis for processing employees’ data, which must be explained in a privacy policy. Security of data Companies already have an obligation to take organisational measures and technical measures to keep personal data secure. This is strengthened and brought up to date under the GDPR to include the need to use encryption, anonymisation and similar newer technologies. It’s important for all companies to assess the risks that their businesses face and make sure that they are applying adequate protection, remembering that threats evolve constantly. Penalties Current fines for data protection breaches are a maximum of £500,000, but this will increase to fines of up to 4% of global turnover. This article covers some of the key points of the GDPR, and there’s lots of information about how companies can prepare for it on the Information Commissioner’s website: www.ico.org.uk. 022 RCIMAG.COM FEB RUA RY 2018


RCI Feb 2018
To see the actual publication please follow the link above