This article is a quick fire guide based on my understanding of how the new General Data Protection Regulation (GDPR) will effect businesses’ marketing activities, it is not a substitute for legal advice and my recommendation is always to seek legal advice where appropriate to do so.
What is GDPR?
In April 2016, the European Parliament passed the final vote for the new GDPR and MEPs agreed to update existing legislation to make it more relevant to modern technology. Despite Brexit, this will be going ahead- so don’t think we are off the hook! The laws will be come into force on May 25th 2018 and if you are only just starting to think about GDPR, it may feel like a relatively short time to get to grips with it and make the necessary changes required for how you collect, stored process data.
As much as most industries don’t like extra legislation to comply with, GDPR is necessary to ensure all of our personal data is better handled by businesses by bringing about some accountability. Not to mention, the UK Data Protection Act failed to keep up with technological advancements and has quickly become out of date. GDPR will deal with the technology we have now and pre-empts some of the ways we will use data in the future too.
Collecting Data and Consent
As it stands, when we collect data we must give the option to opt out of mailing lists for newsletters or being marketing to via text or post. Under the new legislation, you will have to ask people to positively opt-in; so pre-ticked boxes are out of the question. What’s more, it can no longer be a general option, there must be specific options that allow for more control for the individual. Consent requests must be explicit, clear and specific. Vague and blanket statements will no longer be compliant.
There should be relevant options for:
- Each channel
- Third parties etc have to be explained
The statements for consent should be written in clear and plain language so that they are easy to understand. Data collected must be necessary. It is important that you are not collecting data that you do not actually require. The statements must explain why the data is needed and how the data will be used. Everyone has a right to withdraw their consent at any time and this must be made clear and instructions on how to do so too. Evidence is key, so a record of how and when consent was collected must be kept, along with a record of exactly which wording was used when they were asked for that consent. Consent should be regularly reviewed to ensure it is still relevant, this included regular consent refreshes.
We have compiled a consent checklist based on that from the ICO. Download it here.
Once you have gained consent, you then have a responsibility to keep that data safe and secure. Cybersecurity has become hot topic recently with so many large and established organisations having been victims of cyber attacks and millions of people’s sensitivity data has been accessed and stolen. It is no surprise that GDPR has picked this up and establishes accountability unlike anything seen before. The data holder has a responsibility to store data securely and use instruments to ensure its protection. Precautions you can take to ensure data is safe and secure is looking at where you store the data- if physical consider locked cabinets, if digitally ensure you are using the safest servers, strong passwords and encryption.
What happens if you don’t comply?
GDPR will effect all organisations, big and small, charity and not-for-profits too! Failure to comply with GDPR could lead to penalties. Businesses that refuse to comply will face fines of up to 4% of their global revenue or €20,000,000 – whichever is greater and for less severe incidents, the fine will be reduced to 2% of revenue or €10,000,000.
If you currently collect data, store it, analyse it, profile, market and remarket to it; then GDPR will effect your business.