GDPR for digital agencies – how you can avoid hefty fines

Digital and creative businesses are urged to get to grips with the biggest overhaul of data protection law in a generation before new rules come into effect on May 25, 2018.

The General Data Protection Regulation (GDPR) will spark a series of challenges for businesses across the creative and digital industries sector.

It will be regulated by the Information Commissioner’s Office (ICO), a government watchdog, and fines for non-compliance could be as much as €20,000,000 or 4 percent of annual turnover.

A very complex area, covering a huge array of requirements, GDPR will govern how all private, public and third sector organisations across the EU handle personal data. The government has said that it will remain in place post-Brexit.

Under GDPR, every person whose personal information is stored by a business for any reason – must be told why that organisation wants it and what it will do with it. Digital designers seeking to share the data with any third party will also need the specific consent of the individual.
This consent must be very clear. For example, you cannot simply rely on a click confirming that a privacy policy has been read. Legal consent under GDPR must be explicit, informed and freely given. It can be made in a statement or by ticking a box.

Personal data must be stored securely with specified protocols to ensure that it is not breached, stolen, leaked or shared without authorisation.

The far-reaching changes allow anyone to inspect their personal data at any time. As such, organisations must be geared up to handle ‘subject access requests’ – informing anyone who asks what data is held on them – and how it is used – within one month. This means that it must be kept accurate and up to date, with any changes made as and when they occur.

The need for easy amendment and management is also vital as anyone can request that their personal data be removed at any time, or revoke any consent previously given. GDPR also requires that employees are trained in how to protect and manage the information they hold.

The digital and creative industries are among the fastest growing and culturally diverse in our economy and businesses in this sector are renowned for routinely collaborating with other companies globally. Many creatives will therefore have to look carefully at the specific rules that apply to processing data between different countries. In a largescale advertising project, for example, or when looking to bring in specialist skills from abroad, this might run to numerous countries both within the EU and further afield.

Where digital businesses step outside the EU, the new regulations impose restrictions to ensure that data protection rights are adequately safeguarded by the organisation that receives the data. Data may be transferred beyond the EU where the individual gives informed consent or the transfer is required to perform a contractual obligation in the interests of the individual.

A particular headache for those in the digital industries, who may already have amassed large amounts of information, is that GDPR applies retrospectively to all data collected before May 2018, as well as all data from that date.

Comprehending and complying with the massive overhaul will be extremely challenging – and it is still possible that there may yet be even more new developments and changes in the lead up to the new rules being implemented. Adopting the adage that forewarned is forearmed, enlisting a legal practice with a track record in data protection upfront can help to prepare your business for the changes to come, and avoid severe financial non-compliance penalties further down the line.

Sarah Finnemore is a solicitor with hlw Keeble Hawson, specialising in litigation and dispute resolution. She can be contacted on 01302 380216 or [email protected]