GDPR – Great, a Data Protection Reform…
Marketers across the UK and the EU [insert awkward brexit joke here] collectively sigh as the data protection rules are set to change. Fear not, this is not as bad as it sounds. Just make sure you play by the rules and put some protection in place (you can find out how to do so here).
GDPR – What is it?
GDPR clearly doesn’t stand for ‘Great, a Data Protection Reform’, so what is it?
The General Data Protection Regulation (GDPR) is a regulation by which EUROPA (the European Parliament, the European Council and the European Commission) intend to strengthen and unify data protection for all individuals within the EU, while addressing the export of personal data outside of it.
The purpose of this regulation is to give the public back control of their personal data (rightly so!) and to simplify the regulatory environment for international business by unifying the regulation within the EU (Don’t worry, we will cover brexit later).
The GDPR takes effect from 25 May 2018 and impacts every organisation that uses personal data from EU citizens (both B2C and B2B).
According to the Direct Marketing Association, “the new GDPR will determine how your business does business, and particularly how it manages, protects and administers data in the future.” It marks big changes in the way organisations manage their email marketing, especially how they seek, collect and record consent (Pure360, DMA, 2017).
How does this affect my business?
Without getting too bogged down with all of the intricacy and jargon of new regulation (which you can find the majority of information here, here and here). The main points you need to be aware of (as issued by the Information Commissioner’s Office (ICO) as draft guidance and listed by the DMA) are listed below:
- Unbundled: Asking for consent should be separate from other terms and conditions, so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
- Active opt-in: The GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
- Granular: Where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they’re consenting to.
- Named: Always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organisations that the data will be shared with need to be named.
- Documented: Maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
- Easy to withdraw: Individuals should be easily able to withdraw their consent. Organisations must put in place simple, fast methods for withdrawing consent and tell individuals about their right to withdraw consent.
- Freely given: Consent should be freely given by individuals.
These seven key changes affect how you handle, collect and store data. It may seem like a another marketing barrier at first, but as the saying goes, ‘every cloud has a silver lining’.
So, what are the benefits?
The main benefit to marketers and businesses is that customers (in theory) should be more receptive to giving out their data if it is less likely to be misused.
Using the analogy of “data is the new oil”, companies have been taking the data in its raw form and trying to use it without going through the process of refining it.
This new regulation should lead towards cleaner, more up-to-date data as it will force marketers to stop focusing on the size of the database but by the quality within it.
Don’t fear, it’s not as labour intensive as the fractional distillation of crude oil! ‘Many of the principles that would assist in refining data already exist under the present directive: data minimisation; accuracy; storage limitation. They haven’t changed much in the GDPR, a little tweak here, a small tightening there, but the enforcement mechanisms have changed dramatically.’ (Gemalto, 2016).
If you’re still not convinced, just remember that you will benefit from better insight into your audience if you’re analysing cleansed data.
The elephant in the room
Whether you’re for or against Brexit, the GDPR is set to pre-empt our departure from the EU, meaning you’ll need to prepare to meet these regulations. Regardless of our membership status, just like other pieces of legislation and regulation, the UK will probably follow suit and adopt the same regulations in the hope of maintaining business relations with European partners (Computer Business Review, 2017).
What are the consequences?
- Failure to comply means your company will be fined 4% of turnover or 20M Euro – whichever figure is higher (Allen & Overy, 2016).
- Citizens will have legal rights to bring about individual lawsuits and make compensations claims in the case of a data breach (Allen & Overy, 2016).
- If a breach is made then companies must report it within 72 hours and be ready to demonstrate their security and data privacy procedures at a moment’s notice (Computer Business Review, 2017).
- In an effort to further safeguard data, the GDPR also imposes restrictions on entities transferring personal data outside of the European Economic Area (EEA) with transfers only being lawfully made under limited circumstances (Computer Business Review, 2017).
- Not for profit organisations are not protected from this penalty. If your organisation makes no turnover you will still be liable to pay the 20M Euro fine. (Computer Business Review, 2017).
How can my company prepare?
- Prepare for the GDPR by reviewing the systemic ways you use data and look at what needs to change to meet the new requirements around the “right to be forgotten, right to erasure and the right to data portability.” (Computer Business Review, 2017)
- Data protection is not just about personal data and compliance. If you’d like to find out more about this topic we’ve recently written an article on Cyber Security and how to protect your business.
- The Non Exec Director of a GDPR training organisation, Ian Moyse, says there is also talk that companies will need to appoint their own Data Protection Officer or face tough financial sanctions (Ian Moyse, 2017).
- Many of the rules are similar to those in the current Data Protection Act (DPA), so if you are complying properly with the current law you’ll have a good foundation to build on.
If you’d like to get ahead of GDPR and keep your customers happy, get in touch: firstname.lastname@example.org