Background on GDPR
In 1995 the European Union (EU) adopted the Data Protection Directive, intended to protect EU residents from abuses related to the processing of personal data. At the time this was considered an important component of EU privacy and human rights law.
A lot has changed since then.
Several major data breaches and data-hacking incidents worldwide have compromised individuals’ personal data in the EU and elsewhere. In addition, the value of personal data is steadily increasing in our growing digital economy.
The Data Protection Directive was no longer considered adequate, and so a new set of provisions, called the General Data Protection Regulation (GDPR), was adopted in April 2016.
GDPR supersedes the Data Protection Directive beginning 25 May 2018. It applies to all European Union member nations—including the UK.
In addition, because GDPR is a “regulation” and not a “directive,” it is binding. Therefore, it becomes part of UK law as soon as it takes effect. It will will apply to every organisation in the UK, regardless of size or sector.
This means that if your organisation is involved in any aspect of digital marketing, GDPR will very likely affect your business.
GDPR’s Impact on Your Digital Marketing
To be more specific, GDPR will impact all aspects of data collection and digital customer relationship management (CRM).
Regardless of your business sector, chances are good that in the current digital environment much of your company’s daily activity revolves around personal data. Finding, gathering, and using such data is typically a significant aspect of a company’s websites, apps, internal databases, CRMs, email, and social media presence.
Although your company may already have in place privacy processes and procedures that were consistent with the previous Data Protection Directive, keep in mind that GDPR mandates many new protections, processes, and procedures for those dealing with EU residents.
Moreover, when it comes into force in the spring of 2018, GDPR carries with it the threat of substantial fines and penalties for noncompliance—fines of up to 20 million Euros or up to to 4 percent of the offending organisation’s annual worldwide turnover of the preceding financial year, whichever is greater.
To comply with GDPR, you’ll need to gain permission to collect, record, and maintain data via “explicit consent” from the individuals.
For marketing via email, you’ll be expected to rigorously and regularly check personal-data-use permissions.
You’ll need to make sure that if you monitor individuals via, for example, online behaviour tracking, that you do so in compliance with the provisions of GDPR.
You’ll also be expected to understand “the right to be forgotten.” This can range from a simple requirement to purge personal data from your database upon request, to the deletion of indiscretions or legal records from a person’s past that continue to appear in Google searches. It has been defined under Italian law as “the right to silence on past events in life that are no longer occurring.” However, the right is now being stretched a bit under GDPR to extend to situations such as the continued existence, maintenance, and tracking of customer information in a company’s database, even after the individual has chosen to opt out of such inclusion.
What You Need to Tell Your Customers
GDPR uses the term “data subjects,” which it defines as the individuals whose data is being collected, stored, maintained, etc., or individuals about whom data is being collected, stored, maintained, etc.
It requires that all data subjects who are EU residents have the opportunity to provide the company with “clear and affirmative consent” to the use of their personal data. The data subjects are further entitled subsequently to delete or correct this data.
Note that according to GDPR, “clear and affirmative” consent means “offering individuals genuine choice and control.” Consent requires an active opt-in, as opposed to pre-ticked boxes or other default processes: “Explicit consent requires a very clear and specific statement of consent.”
Under the new rules, companies will be required to keep all data subjects who are EU residents well informed about all of the following:
- What personal data about them is being stored
- How their personal data is being used
- Who has access to their personal data
- How and why their personal data is being processed
- Duration of time (how long) their personal data is being stored
- Who the data subject should contact about any aspect of the above
The Data Protection Officer
One way to help your company achieve GDPR compliance is through the appointment as soon as possible of a “data protection officer” (DPO).
In fact, GDPR demands that “data controllers”—defined by the new regulation as organisations that collect and process personal data—must each designate a “data protection officer” to ensure GDPR compliance.
The expectation is that DPOs will be appointed for all “data controllers” involved in “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data,” such as data revealing or suggesting racial or ethnic origin. (And note that something as simple as a first or last name—such as Pilar, Muhammed, Patel, or Bjornson—may readily suggest racial or ethnic origin.)
An effective DPO will ensure GPDR compliance in time for the May 2018 deadline, and will see to it that this compliance is not only achieved but maintained once GDPR goes into effect.
At your company, an appropriately trained and informed internal employee is often the best choice for a DPO. However, if your organization processes and manages very large amounts of personal data from EU data subjects, you might consider outsourcing the DPO function.
Ignoring the regulation until it’s too late could be a costly mistake in both time and money.
GDPR is inevitable, so begin preparing for it now.
Here are two steps to take:
Audit Your Data
To prepare for GDPR, you should conduct an audit of all personal data your company gathers, processes, maintains, etc.
The audit should identify how the data is used, where it is stored, whether it’s still needed by your company, etc. If you use a third party such as MailChimp, you’ll need to confirm that this third part is GDPR-compliant or will be in time for the deadline; if this is not the case, find a GDPR-compliant provider.
Update Your Website
Chances are that for marketing purposes your company obtains personal data about customers and prospects through your website.
Best wishes for success to you all on your journey toward GDPR compliance!Share This Post...