By John Kennedy on 2017-04-13 17:53
If you have not already done so, soon you'll have to focus on finding, evaluating and categorising your company’s stored personal data - plus while you are at it, update or establish new processes and procedures to comply with the new data regulations for the EU.
What is the GDPR?
The GDPR or General Data Protection Regulation (click to read all 261 pages of the directive) is designed to unify data privacy laws across the EU, giving EU citizens more control over their personal data and prescribing how organisations may use and must protect the data.
Under the EU’s new rules, consumers have the right to know how their personal data is being used, the reason it is being processed, have the right to access and correct it, restrict further processing and to request that all their data be erased.
As a company you must know the personal data that you have on your customers, where that data is stored, its source and that you are lawfully complying with the regulations on how to keep and process it.
Organisations that store and/or process EU consumer data must vigorously protect their data, regardless of where they as a company are located. Regulatory compliance may be viewed as an admin burden, but if your company is found to be in breach of the regulations you will face severe penalties and may be fined up to 20 million EUR or 4% of annual global turnover.
The GDPR is a new regulation that will come into effect within the EU as of 25th May 2018.
What Are The Challenges You May Face As A Business?
- Awareness of GDPR > You should make sure that decision makers in your organisation are aware that the law is changing to the GDPR and the consequences of non-compliance
- Do you have an overview of your data and the sources (an information audit)?
- What is the risk level for each source in terms of meeting the new consent rules?
- Can you show the processes and procedures you have in place to protect and manage the data?
- Do you have appropriate documentation and audit trails in place on how you seek, obtain and record consent?
- Do you need to review your current privacy notices and put a plan in place for making any necessary updates to them going forward?
- Do you know how to identify what is considered to be personal data?
- Are you aware who you share data with?
- How do you control access rights to your data to prevent a breach?
- Do you understand how to respond and manage a data breach incident?
- Do you carry out any data processing?
- Do you have a clear overview of roles and responsibilities of who does what in your organisation for example who would delete data or process requests?
A great source of information if you want to start reading more about GDPR is provided by the ico (Information Commissioners Office) in the UK.
Many organisations will need to design or update their data protection compliance practices. With regards to sales and marketing we already know that the industry as a whole is subject to suspicion from consumers and may be wary of practices with regards emailing, profiling, tracking, etc. All of which will add more pressure to getting the compliance right.
Who Does The GDPR Affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU, if they offer sell to EU subjects, track them, or hold any personal data on them.
What Constitutes Personal Data?
Any information relating to an identified or identifiable natural person or ‘Data Subject’. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
How Does The GDPR Affect Policy On Data Breaches?
Data breaches which may pose a risk to individuals must be notified to the appropriate authority within 72 hours and to affected individuals without undue delay. The company must also show which procedures have been initiated to fix the problem
Consent To Communicate With A Contact
Consent must be freely given through a clear and easy to understand process, and users must be informed of the purpose for which their data will be processed and it must be just as easy to withdraw consent as it is to give it.
Does GDPR Apply To B2B Marketing?
The new ruling will require companies to have a "double opt-in" consent prior to being able to send any email communications. That means between now and May 2018 you need to make sure you have as many of your contacts double opted-in to your communications as possible. Remember if there is an issue you will need to be able to document the permission flow and prove that you received permission for you to email them.
The consequences may be that you'll have a smaller but better qualified data base to target. If you receive contact details during the course of a sale for example, you can use that email address for marketing similar products or services, with as always a clear opt-out option.
What Are The Main Benefits For EU Citizens?
The new rules will put them back in control of their data, through:
- A right to be forgotten
- Easier access to your own data
- The right to know when your data has been hacked
- Data protection first, not an afterthought
What Are The Benefits For Businesses?
Data is the currency of today's digital economy and has immense value, to help companies thrive in this environment the new rules allow:
- One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws.
- One-stop-shop companies will only have to deal with one single supervisory authority
- The same rules for all companies – regardless of where they are established
- European regulators will be equipped with strong enforcement powers
Preparing For GDPR
As a company it is recommended that you conduct a thorough review of the various types of personal data you have stored, their source, what they are used for and whether it is critical to your business.
By building up insight on your data supply chain, you can identify potential vulnerabilities in the flow and assess and address the possible risks of hacking or data breaches.
As a marketer you will need to assess your current processes against what you do today for email/blog subscriptions, landing pages, calls-to-action, etc. You will need to make sure that you get the consent in the correct way, store it properly and have a process to prove that the contact is who they say they are. If your contacts are silent or you take inactivity as consent you will be breaking the rules.
This is where inbound marketing can help with your compliance to GDPR. You will need to make sure you are creating and utilising high-quality content on your website, that can be gated as a tactic to collect your emails and consent opt-ins from website visitors. Crafty consent messages that aren't clear and are more of a softer opt-in will be non-compliant with GDPR.
"Does The EU GDPR Apply To Cold Calling?"
Only email and SMS marketing messages are opt-in. The rest: telephone calls, direct mail and fax are all opt-out.
The first mistake that organisations make is to assume GDPR should be considered as purely an IT issue, it’s not - it needs to be considered across many different departments - from legal to IT to marketing, etc.
If you are found to be non-compliant it has very significant business risks. Apart from the reputational damage to your brand you will lose the trust of customers and could face a severe fine.
We will not be able to replace the need for legal advice, and this blog cannot be used as legally binding advice. It is important that you discuss GDPR and its implications for your organisation with appropriate legal advisors.
Image source: www.freepik.com