GDPR – it’s a term that has become more and more familiar in business circles over the past few months. Marketers have known about it for a while, primarily because of how it will impact on our usage and processing of customer data – something that is essential when you are looking to build databases, utilise CRM systems and run targeted marketing campaigns.
However, for some the GDPR might be relatively new on the radar. With this is mind, I’ve compiled a brief overview on the topic – summarising the key changes, terminology, and some food for thought before the new regulations come into effect on 25th May 2018.
What is “GDPR” and why is it important?
“The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years…” (Source: https://www.eugdpr.org)
It replaces the Data Protection Directive 95/46/EC and its purpose is to harmonise data privacy laws across Europe. The difference between a “Regulation” and a “Directive” is that the former is a binding legislative act, rather than a goal to be achieved by various means. In short, if after the 25th May 2018 your business is not in compliance with the new EU GDPR, it could face heavy fines, up to a maximum of 4% of global turnover.
But we are leaving the EU, won’t Brexit mean GDPR doesn’t apply to the UK?
Firstly, the UK will still be in the EU when the GDPR comes into force. Secondly, regardless of the outcome of Brexit, it is almost certain that that the UK Government will implement equivalent legislation in the form of a new Data Protection Act. This will ensure a level playing field for businesses to access the EU digital market.
The UK Government and ICO (Information Commissioners Office) has been fully supportive of GDPR throughout its conception, so there is no reason for the UK to adopt regulations with any great differences, nor to stick with existing directives. The GDPR will also apply to businesses in non-EU countries that process the data of EU citizens, so if your business trades in the EU, the new regulations would still apply.
So what is changing and what does it mean?
The language used in the articles of the GDPR can seem convoluted and hard to boil down into a simple summary. Below you will find a list of the key terms used and what they mean, as well as one highlighting the main areas for change compared to existing data protection directives.
- Controller – a controller determines the purposes and means of processing personal data. They will have legal obligations to ensure that contracts with processors comply with the GDPR.
- Processor – a processor is responsible for processing personal data on behalf of a controller. They will have specific legal obligations for things such as maintaining records of personal data and processing activities.
- Personal Data – the GDPR applies to personal data, meaning any information by which an individual could be directly or indirectly identified, e.g. Name, Address, DOB, IP addresses and so on.
- Sensitive Personal Data – specifically information which uniquely identifies an individual, e.g. biometric, genetic, medical, religious views.
- DPA – Data Protection Authority
- DPO – Data Protection Officer
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” (Source: https://www.eugdpr.org/key-changes.html)
- Penalties – organisations in breach of GDPR can be fined to a maximum 4% of turnover or €20 million (whichever is greater). The fines are tiered depending on the severity of the breach – e.g. a fine of 2% could apply for not having their records in order.
- Consent – conditions under which a subject gives consent have been strengthened, and companies can no longer use long and illegible T&C’s. Consent must be given in a clear and accessible form, with the reasons for gathering the data also given alongside the form. It must be as easy to withdraw consent as it is to give it.
- Breach Notification – in circumstances where a data breach occurs, and is likely to “result in a risk for the rights and freedoms of individuals”, within 72 hours notification will be mandatory. Data processors must also notify customers and controllers.
- Right to Access – part of the expanded rights for data subjects is the right for them to obtain information about the data that is being stored about them, and the purposes for which it is being used. The controller must be able to provide an electronic copy of this data free of charge.
- Right to be Forgotten – also known as Data Erasure, this entitles the data subject to have the controller erase his/her data, cease further dissemination, and potentially halt 3rd parties from processing the data. This could be due to the data no longer being relevant to the purposes for which it was originally gathered, or withdrawal of consent.
- Data Portability – the right of the data subject to receive the data being held, which they have previously provided, and the right to transmit this to another controller.
- Privacy by Design – this calls for the consideration and inclusion of data protection as part of a system from the outset, rather than an additional afterthought. Specifically, “the controller shall implement appropriate technical and organisational measures in an effective way to meet the requirements of this Regulation and protect the rights of data subjects”.
- Data Protection Officers (DPOs) – under the GDPR it will no longer be necessary to submit notifications to each local Data Protection Authority (DPA) of data processing activities. Instead there will be internal record keeping requirements, and DPO appointment will only be mandatory for those controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or special categories such as criminal convictions. Clearly this is not definitive – it could mean any enterprise over 250 employees, or for any company processing more than 5000 data subjects over a 12 month period – this remains to be seen.
What does it mean for marketing?
Many businesses either gather or capture data from customers for marketing purposes via their website, or during the sales process. For example, this would apply to B2B websites with enquiry forms; B2C eCommerce sites; newsletter/email subscription; and so on. The bottom line is that marketers should strive for transparency in data collection, followed by secure storage of said data, and controlled processing that matches the original stated purpose for collection.
Business owners and those responsible for marketing should think about answers to the following questions:
- How are we gathering personal data?
- Is our purpose for gathering this data clear?
- Are the options for consent clear?
- How are we storing this personal data?
- How do we process this personal data?
- Are we giving users control over their data – to amend/delete/unsubscribe?
In short, collection of personal data and the use of this data for marketing can continue with clear consent, purpose and better safeguarding for the rights of individuals. If anything, for marketing teams and business owners, the GDPR could be seen as a chance to review existing systems and implement best practice, therefore earning more trust from your existing and potential customers.
How can we demonstrate compliance?
Accountability and Governance
While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. You are expected to put into place comprehensive but proportionate governance measures. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data.
According to the GDPR itself – Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
In order to show compliance you must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include: data minimisation; pseudonymisation; transparency; allowing individuals to monitor processing; and
creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
Where can I find out more?
The following are useful links, and were used as sources for the information in this article:
https://www.eugdpr.org – official EU website with FAQs and countdown to the GDPR.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ – Information Commissioner’s Office, independent UK authority.
https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf – 12 simple steps to help businesses prepare.
For information about the marketing services I can offer, please get in touch using the form below!
By completing and submitting the form below, you give consent to be contacted by TOG Marketing for the purposes of offering marketing consultancy and similar services. Your personal data will not be disclosed to any 3rd parties. You have the right to request a copy of any personal data held about you, and can do so by emailing firstname.lastname@example.org. (See what I did there?).
The content of this web page is a piece of commentary on the GDPR, as interpreted by TOG Marketing, as of the date of publication. The views and thoughts expressed are entirely my own. The application of GDPR is highly specific, and some aspects may still be open to change or interpretation.
As such, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. I encourage you to work with a legally qualified professional to discuss the GDPR, how it applies specifically to your organisation, and how best to ensure compliance.
TOG MARKETING MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION ON THIS WEB PAGE. This CONTENT is provided “as-is.” Information and views expressed in this web page, including URL and other Internet website references, may change without notice.