GDPR Part 2: What does it mean to my business?
The General Data Protection Regulations (GDPR), is the new European privacy law designed to regulate how individuals and organizations may obtain, use, store, and eliminate personal data belonging to EU citizens. It’s set to be enforceable from May 25, 2018, and will pretty much impact every organisation in the world.
If you aren’t familiar with the General Data Protection Regulations (GDPR), our ‘Are you ready for GDPR?’ article will help give you a basic understanding of the new law. Just bear in mind that we’re not lawyers, so if you’re concerned about how GDPR will affect your business, we suggest you make contact with an independent advisor.
What does the GDPR involve?
As you can imagine, the GDPR is quite a bedtime read, but to help give you a basic understanding of the law, we’ve broken down some of the main points:
1. Stricter consent requirements
● Individuals must explicitly opt-in to the storage, usage and management of their personal data
● Separate consent must be obtained for different processing activities and you must clear about how the data will be used for each activity
● Silence, pre-ticked boxes or inactivity does not constitute consent
● It must be easy for individuals to both provide (opt-in) and withdraw (opt-out) their consent
● You must be able to prove consent for each purpose
Essentially, GDPR changes to consent is going to have one of the biggest impacts on businesses. In a nutshell, the GDPR means you must now explain to each contact what data you have on them and for what purpose. You cannot blanket ‘opt-in’ contacts when you obtain their information, you must gain their consent for each type of communication and you must be able to prove they’ve given you consent. Also, there are other areas you need to consider:
● Existing contacts
If you have collected information from your contacts in accordance with the new law, you do not need to gain consent again after May 25th. However, any information that wasn’t collected to a GDPR standard will need to be reviewed and consent given line with the GDPR requirements.
● Plain english
Under the GDPR, you’ll need to be able to demonstrate that individuals had absolutely no doubt in what they were signing up for.
● No more ‘trusted third parties’
The GDPR states that any organisations to whom consent is being granted must be named as part of the agreement. In other words ‘trusted third parties’ is no longer valid. If an individual opts-in for marketing communication from Company A, then only communications initiated on behalf of Company A count as being opted-in. This also applies to any parent or sister companies.
Clever use of language won’t cut it either. Vague reference to the type of third party, such as “ourselves and selected homeware companies”, doesn’t comply.
So, if you offer a means of collecting information on behalf of ‘third parties’, you must specifically list each partner as a separate opt-in.
● No more opt-in by default
If using website opt-ins, checkboxes which are ticked by default are definitely not acceptable. This is known as “consent by default” and is explicitly banned under the GDPR.
● Specific means specific
If you obtain an individual’s consent for email invoicing, you cannot email them promotions, updates or newsletters without separate, specific consent to do so (unless there is a ‘legitimate interest’ – which we cover in our ‘GDPR and the tools marketeers use’ [link to part three] article).
○ Seasonal consent
If the specific opt-in was related to a specific seasonal offer, such as a summer sale or holiday promotion, then the opt-in is only valid for as long as that event. You need to consider how you will keep a record of these temporary opt-ins and how to remove them once the event has finished.
○ Terms and conditions
Unless communications form an essential part of your service or there is legitimate interest, you must ensure consent is separate from other terms and conditions.
○ Business evolution
Consent is specific to your business at the time of opt-in. If your business grows and offers significantly different products and services, then existing consent for your previous business will not cover you.
2. Breach notifications
● In the event of a breach, you have 72 hours to notify authorities and contacts of the nature of the breach and any risks
This is designed to give accountability to each organisation. It’s highly recommended you have a process for informing people if your data is leaked. As a worst case scenario, you have to imagine what would happen if your data is leaked on Friday morning, would you be able to inform everyone by Monday morning?
3. Data Protection Officer
Organisations are required to appoint a Data Protection Officer (DPO), whose role is to ensure compliance of the GDPR, if you fall under the following:
● Public authorities or bodies, except for courts acting in their judicial capacity
● Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale.
● Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin; political opinions; religious or philosophical beliefs and other such information
● Companies who process, on a large scale, personal data relating to criminal convictions and offences
There is still some confusion as to whether you need to appoint a DPO if you are an SME. This is due to the vague language used in the GDPR. The general view is that you should appoint a DPO. However, this doesn’t mean you have to create a new role, an existing employee can assume the responsibility. If you are uncertain if you require a DPO, it’s best to consult an independent consultant.
4. Right to access
● Individuals have the right to obtain what information we have about them and how it is used, manage and processed
○ You must be able to provide a copy of the personal data we hold free of charge
5. Right to object
● An individual may prohibit certain data uses
6. Right to be forgotten
● An individual may request that we delete all data on that individual without undue delay
○ Unsubscribing or archiving individuals does not comply
7. Right to rectification
● Individuals may request that incomplete data be completed
● Individuals may request that incorrect data be corrected
For us as individuals, GDPR makes some serious headway in bringing the information available to businesses back into our control. You can see this as being the end of those unwanted, sketchy PPI emails and phone calls.
For businesses, the stricter consent requirements in particular will completely change the way businesses can promote themselves. It’s extremely likely that marketing contact lists are about to get a lot shorter. However on the flip side, the contacts should be a lot more engaged and we should see higher conversion rates as contacts specifically asked for the information.
Technology businesses that store a lot of personal, trackable data will face the biggest changes, but the GDPR will affect every businesses, and every department within those businesses – from back office accounts teams to front facing customer support. The most visible change will most likely come from Marketing departments and how they go about changing the way they currently use contact information to deliver targeted business information, promotions and campaigns.
For more information on how the GDPR will affect the most common digital marketing platforms, read our ‘GDPR and the tools marketeers use’ article.
For more information on GDPR, read our ‘Are you ready for GDPR?’ article, visit the EU GDPR website [https://www.eugdpr.org/], or have a look at this infographic from the European Commission [http://ec.europa.eu/justice/smedataprotect/index_en.htm].