What is GDPR and why does it affect me?
You have most likely heard of GDPR already and if you haven’t where have you been? Nearly every personal email I have received over the last 8 weeks has in some way been connected to the looming change of EU data rules.
From 25th May 2018 GDPR will come into force not only across the UK but across Europe and in fact any country that processes data from any European country. Even Customers based in Europe who purchase from a US company. This means that the US companies involved will also be bound by the regulations of GDPR.
From a personal perspective and as a consumer (as we all are) I welcome GDPR, no more emails notifying me of flash sales; I have won a car, spend your Sunday looking for your next holiday and the list goes on…. but, from a professional perspective, it would be an understatement to say this will rock the foundations of marketing and commercial activity to its core. How will we contact Customers or Prospects to inform them about our latest product or service launches? How will they be made aware of events we are holding or participate in surveys (unless they of course, they have opted in)?
For those of you that were hiding from GDPR, let me quickly explain what you can expect should you ever be in a breach of these new regulations. The fine for a GDPR breach is 4% of a company’s annual global turnover or a minimum fine of £20m! Yes, pretty steep indeed when compared to previous fines under The UK Data Act (maximum £500k).
The GDPR document itself is extensive with 99 articles and 173 recitals or directions! A Supervisory Authority will be designated to each European country (for the UK it is the Information Commissioners Office). Usually, these Authorities are the current regulators. In addition to this, e-privacy rules that were previously considered “advisory” will now become regulation alongside GDPR on May 25th. These rules govern email, telephone and SMS communication.
There are also exemptions for member states these include:
- national security;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences;
- other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
- the protection of judicial independence and proceedings;
- breaches of ethics in regulated professions;
- monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
- the protection of the individual, or the rights and freedoms of others; or
- the enforcement of civil law matters.
- freedom of expression and freedom of information;
- public access to official documents;
- national identification numbers;
- processing of employee data;
- processing for archiving purposes and for scientific or historical research and statistical purposes;
- secrecy obligations; and
- churches and religious associations.
What should I be doing?
- If you haven’t already, you should consider sending an email or letter to all your Customers and Prospects asking them if they wish to opt in and continue to receive updates from you or opt-out under the new GDPR rules. I suspect there will be a period of grace for companies in issuing these emails, but I wouldn’t advise that you leave it too long.
- Ensure you assign a Data Protection Officer, they should deal with any complaints or issues whereby a data breach has been identified and their contact details should be clearly stated on all your privacy statements.
- Redraft your privacy statements, refer clearly to any 3rd party providers you use to process data online or offline and ensure the wording you use could be understood and discussed by a 16-year-old (there are penalties outlined within GDPR for overcomplicated or unclear privacy policies).
- Ensure that any databases or systems that you are using comply with the minimum standards of GDPR.
- If you haven’t already registered with the Information Commissioners Office (if you are a UK based company), you should do so.
- Maintain a record of all your Customers and Prospects safely and securely, there should be features which enable you to record how they gave consent and when as a minimum.
- Ensure that you have a robust consent process in place, including forms and somewhere safe to store this information (either in brief or full form).
- The right to be forgotten is when an individual wishes to be removed from any data processing systems. GDPR asks that once this is complete you should confirm deletion with the individual, including proof. At this stage, it is not clear what constitutes proof, for example, should this be a screenshot of the deletion confirmation screen? However, a record then still exists in some form in your sent box, so I think there will still be a period of settling before everything becomes totally clear for data processors.
Want to know more?
The Information Commissioners Office have prepared a 12-step guide to smaller companies wishing to learn how they can apply GDPR effectively. This can be accessed here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
you can also assess your readiness for GDPR by using this tool (again provided by ICO): https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Written By Kat Holt, Head of Marketing and Corporate Development