By John Kennedy on 2017-06-05 12:24
There is on the horizon a storm brewing with the introduction in less than 12 months of the new General Data Protection Regulation (GDPR) on 25th May 2018. Add this to the parallel lobbying of online data privacy advocates in wit hrecent high-profile cyber-attacks, and the issue of data protection/privacy in the mind of consumers that perceive privacy policies as getting weaker not stronger.
The finish line for GDPR is already fixed and getting closer, and the risk to businesses of not being compliant is significant. Only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline. According to the survey nearly a quarter of companies have not even started preparing yet, and consent is the biggest cause for concern, cited by 70% of respondents.
Moving forward, as a result of the GDPR companies will need to be far more transparent with what they do with the personal data that they manage and process, while EU citizens will have more control of their own information.
What Is GDPR?
It is hard to think of a business today that does not use personal data in some way. Whether you have employees, customers or supplier data – if the data relates to an individual you will need to comply with GDPR. Personal data is any information relating to an identified or identifiable natural person or ‘Data Subject’. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Organisations have to assess the compliance of their data policies and challenge the attitudes to working with data. It is not enough for employees to say their job is not compliance related, or that they are not a data protection expert. Most of us do use data in our work and need to take responsibility for the protection of data and not leave it to somebody else.
As a business you need to have transparent and easy to understand data policies. So that you can explain clearly to employees, customers and third parties what you are doing and why - and work together to achieve compliance.
The GDPR or General Data Protection Regulation (click to read all 261 pages of the directive) is designed to unify data privacy laws across the EU, giving EU citizens control far more control over their data.
Where sales and marketing is concerned this does completely changes the handling of data. The onus will be on companies to demonstrate how they meet the GDPR conditions. If they cannot prove how consent was obtained to have a subject in their data base then there is a strong likelihood that they will be non-compliant.
As an organisation when you collect personal data it must be relevant for the purpose. This means if you have for example run a competition you can only use the information for that purpose. Creating another purpose to use that information requires further consent. In terms of a marketing database that exists today, it needs to be thoroughly reviewed to check if consent has been given in the correct way, that the data is being used for legitimate interests, and the source of data collected is known.
The question is – what does 'legitimate interests' mean? GDPR states that direct marketing for example is a legitimate interest, although this needs further clarification by the data bodies. In an existing data base if you have consent for direct marketing and you obtained this already in the right way, you will not be required to obtain further consent if the original request meets the new requirements under the GDPR.
Organisations that store and/or process EU consumer data must employ strong measures to protect the personal data they store and process, regardless of where they as a company are located. If your company is found to be in breach of the new regulations you will face steep penalties and may be fined up to 20 million EUR or 4% of annual global turnover.
What Are Some Of The Impacts Of GDPR?
1.) The new rules will put individuals back in control of their own data, through:
- Requiring explicit consent to use personal data
- A right to be forgotten
- Easier access to an individuals own data
- Companies need to be specific about what will be done with your data
- The right to know when your data has been hacked
- Data protection as a priority
- Powers for individuals to take legal action against organisations that don’t respect your rights
Data is the currency of today's digital economy and has immense value, to help companies grow in this environment the new rules provide organisations with:
- A single, pan-European law for data protection
- One single supervisory authority to deal with
- The same rules for all – regardless of where your company is established
- A European regulator equipped with strong enforcement powers
2.) Portability of data
Allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider.
3.) Breach notification
Privacy by design is an approach that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often ignored in a relationship but this will aid organisations to comply with their obligations under GDPR.
Data breaches which may pose a risk to individuals must be notified to the appropriate authority within 72 hours. The company must also show which procedures have been initiated to fix the problem.
There is also an obligation to notify individuals affected in certain circumstances. Breaches can range from a hack, to putting a letter in the wrong envelope. Organisations will need to be able to monitor their IT systems to know whether or not there has been a breach.
In a survey conducted by YouGov on behalf of law firm Irwin Mitchel with 2000 UK businesses only 29% of all businesses have started preparing for the GDPR. According to the YouGov survey results, only 26% of surveyed businesses expressed confidence on reporting data breaches to the regulator within the required 72 hours.
4.) More effective supervision and enforcement
Data breaches have become more common place today and as such companies need to manage data with a robust IT security plan. And the GDPR will provide regulators with significant powers to penalise non-compliance.
Any breach carries the risk of damage to a company's finances and reputation, so marketers must ensure that all data that is being used complies with the GDPR. Your brand's reputation can hinge on how you as a company treat customers and whether you meet their expectations, and today this does include more and more their privacy expectations.
5.) One-Stop Shop
This is making it easier for citizens within the EU to complain about infringement of their data protection and privacy rights under GDPR.
As a marketer now is a good time to assess your current marketing programs where you engage with your customers, especially your email strategy, blog subscriptions, e-newsletters, landing pages and forms, calls-to-action, etc.
6.) Privacy notice
The right to be informed means that users should be supplied with comprehensive information on how their data may be processed.
What is important here is the use of plain language – telling the user who you are, why you are processing their data, how long it will be stored and if any other third party receives it.
The information you supply about the processing of personal data must be:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language
- Free of charge
The information you supply is determined by whether or not you obtained the personal data directly from individuals. There is an information table created by the ICO which is an easy way to understand what is needed, click here.
Consent is the biggest area causing concern as GDPR will mandate an ‘opt-in’ approach to B2B data collection and use. This could raise concerns that customers may begin en masse to opt-out as companies go through the process of formally inviting contacts to opt-in to make sure that they meet the new rules.
Consent must be freely given through a clear and easy to understand process, and users must be informed for what purpose their data will be processed.
The do's and don’ts of gaining consent:
- You must be able to demonstrate how the data subject has consented to the processing which means recording how and who gave consent
- The data subject must be able to withdraw consent at any time and it shall be as easy to withdraw consent as to give it
- Brands will need to be specific about what will be done with the data
- If processing for multiple purposes consent should be given for all of those purposes
- Purpose has to be unambiguous, clear and simple
- There must be an opt-in box so that it can record how the data subject gave consent
- Silent consent, pre-ticked boxes or inactivity would not constitute as consent
8.) Revising your data policy
Now is a good time to already start to update the text you use to reflect the purpose of why you are collecting the data and what it is going to be used for. As businesses we know that personal information has a value so protecting it does make good business sense and the benefits of having the data exceed the costs of managing it properly.
Being irresponsible and ignoring privacy concerns and not protecting data does have significant downsides and failure can be damaging. GDPR will set out to enforce stricter mandates on privacy and apply far greater penalties for non-compliance.
Any immediate gains to be had from taking privacy shortcuts are short-lived as savings made will be dwarfed by the penalties of failure.
Preparing For GDPR
GDPR will make it mandatory for companies to conduct data privacy impact assessments to identify risks and mitigation. It is recommended that you conduct a thorough review of the various types of personal data you have stored, their source, and what they are used for. We will not be able to replace the need for legal advice, and this blog cannot be used as legally binding advice. It is vital for you to discuss GDPR and the implications for your organisation with appropriate legal advisors.
As a marketer you will need to assess your data capture flows, against what you do today for email/blog subscriptions, landing pages, calls-to-action, etc. You will need to make sure that you get the consent in the correct way, store it properly and have a process to prove that the contact is who they say they are.
Privacy impact assessment is a process which helps an organisation to identify and reduce the privacy risks of a project. The UK's ICO (Information Commissioners Office) as a great tool that you can download and provides a detailed assessment.
Image source: www.freepik.com