This May a new law from the European Union will come into effect in the UK affecting personal data held by card publishers, retailers and trade suppliers. The GCA is taking steps to ensure that members and associate members do not fall foul of the imminent General Data Protection Regulation (GDPR), which will apply to all companies which process EU citizens’ personal data by tightening up the rules relating to storage and transfer of those people’s private information, by issuing a simple guide to the new regulations, that have been drawn up by the GCA’s legal advisors Steeles Law.
This new law will impact any company that collects and stores personal data, so will impact on greeting card retailers, publishers, distributors (who may use their ‘mailing list’ to send promotional material either by post or digitally) – in fact anyone who has the need to collect and store customers’ data.
Sharon Little, ceo of the GCA has just sent all members an email outlining their obligations under the new law, along with a simple guide. Click here to view a copy.
Explaining the rationale of the imminent legislation Sharon said: “The aim is to ensure that personal data is sufficiently protected by organisations which hold it and enable the prosecution of those that don’t. It is hoped that this will reduce the risk of large data breaches in future and increase the public’s confidence in how companies treat its personal data. In the long term, it could help prevent sensitive personal information ending up in the hands of cyber criminals.”
The GDPR introduces new responsibilities and duties of which businesses will need to be aware. The greatest challenge facing businesses may well prove to be gaining direct consent to collect individual’s fresh personal data. It will have to be clear how the information will be used and silence or inactivity no longer constitutes consent from the individual.
However, there are far less stringent requirements when it comes to current clients. The definition of ‘data’ has been widened to include almost any form of information about an individual. Companies must only store data for as long as is absolutely necessary and only use the data for the purpose for which it was originally collected. Another notable change is the obligation to delete data if a request to do so is received by the person to whom the correspondence is sent.