What is GDPR and why does it affect me?
You have most likely heard of GDPR already and if you haven’t where have you been? Nearly every personal email I have received over the last 8 weeks has in some way been connected to the looming change of EU data rules.
From 25th May 2018 GDPR will come into force not only across the UK but across Europe and in fact any country that processes data from any European country. Even Customers based in Europe who purchase from a US company. This means that the US companies involved will also be bound by the regulations of GDPR.
From a personal perspective and as a consumer (as we all are) I welcome GDPR, no more emails notifying me of flash sales; I have won a car, spend your Sunday looking for your next holiday and the list goes on…. but, from a professional perspective, it would be an understatement to say this will rock the foundations of marketing and commercial activity to its core. How will we contact Customers or Prospects to inform them about our latest product or service launches? How will they be made aware of events we are holding or participate in surveys (unless they of course, they have opted in)?
For those of you that were hiding from GDPR, let me quickly explain what you can expect should you ever be in a breach of these new regulations. The fine for a GDPR breach is 4% of a company’s annual global turnover or a minimum fine of £20m! Yes, pretty steep indeed when compared to previous fines under The UK Data Act (maximum £500k).
The GDPR document itself is extensive with 99 articles and 173 recitals or directions! A Supervisory Authority will be designated to each European country (for the UK it is the Information Commissioners Office). Usually these Authorities are the current regulators. In addition to this, e-privacy rules that were previously considered “advisory” will now become regulation alongside GDPR on May 25th. These rules govern email, telephone and SMS communication.
Yes, but why does this affect me?
Everyone is a consumer, even though some of us may work within a business-to-business (B2B) environment, the world is changing and previously dated technical acronyms of B2B and B2C are being replaced with the concept of human to human exchange. GDPR has inadvertently supported this theory by ensuring these rules apply to all businesses whether you are marketing to other businesses or consumers. That is because where data you are processing personal, it can still be tracked back to a particular individual. So, really no-one is exempt.
In basic terms, GDPR means that it will be harder to gain consent for communication and data storage and it is now a requirement that clear affirmative action is to be taken for consumers to agree to the processing of Personal Data.
So, is there any good news?
I have already specified that I think this is a very positive move for individual consumers, we should now only receive information we have asked for in a format that we have asked for it in. Prior to the 25th May 2018 all companies should have asked their Customers or Prospects to opt in to continue to receive information, updates and product information. What is incredibly important is that you must define and give examples of what your Customers or Prospects can expect to hear from you about.
GDPR has specified that legal or technical jargon will not be acceptable explanations to Customers. Privacy statements should be clear and concise. I use a general rule of thumb whereby you write it for a 16-year-old, that way everything is clear and there is no room for misunderstandings.
For companies built on trust and transparency, this provides an opportunity for you to be clear and honest with your Customers about why you might process their data and how it will be stored.
There are also exemptions for member states these include:
- national security;
- defence;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences;
- other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
- the protection of judicial independence and proceedings;
- breaches of ethics in regulated professions;
- monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
- the protection of the individual, or the rights and freedoms of others; or
- the enforcement of civil law matters.
- freedom of expression and freedom of information;
- public access to official documents;
- national identification numbers;
- processing of employee data;
- processing for archiving purposes and for scientific or historical research and statistical purposes;
- secrecy obligations; and
- churches and religious associations.
What should I be doing?
- If you haven’t already, you should consider sending an email or letter to all your Customers and Prospects asking them if they wish to opt in and continue to receive updates from you or opt-out under the new GDPR rules. I suspect there will be a period of grace for companies in issuing these emails, but I wouldn’t advise that you leave it too long.
- Ensure you assign a Data Protection Officer, they should deal with any complaints or issues whereby a data breach has been identified and their contact details should be clearly stated on all your privacy statements.
- Redraft your privacy statements, refer clearly to any 3rd party providers you use to process data online or offline and ensure the wording you use could be understood and discussed by a 16-year-old (there are penalties outlined within GDPR for overcomplicated or unclear privacy policies).
- Ensure that any databases or systems that you are using comply with the minimum standards of GDPR.
- If you haven’t already registered with the Information Commissioners Office (if you are a UK based company), you should do so.
- Maintain a record of all your Customers and Prospects safely and securely, there should be features which enable you to record how they gave consent and when as a minimum.
- Ensure that you have a robust consent process in place, including forms and somewhere safe to store this information (either in brief or full form).
- The right to be forgotten is when an individual wishes to be removed from any data processing systems. GDPR asks that once this is complete you should confirm deletion with the individual, including proof. At this stage, it is not clear what constitutes proof, for example, should this be a screenshot of the deletion confirmation screen? However, a record then still exists in some form in your sent box, so I think there will still be a period of settling before everything becomes totally clear for data processors.
Want to know more?
The Information Commissioners Office have prepared a 12-step guide to smaller companies wishing to learn how they can apply GDPR effectively. This can be accessed here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
you can also assess your readiness for GDPR by using this tool (again provided by ICO): https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Written By Kat Holt, Head of Marketing and Corporate Development