GDPR 2018: Are You Prepared?
The GDPR implementation deadline is approaching in a matter of a few months, but are you and your business prepared?
What is the GDPR?
In a nutshell, it is the result of nearly four years of discussion, and work, to help the EU bring data protection into line with modern technology and business workings.
In 1998 the EU Data Protection Directive of 1995 was superseded by the new Data Protection Act, however, after 19 years, this too is being relegated to the history books with the EU’s GDPR (General Data Protection Regulation) taking its place.
This new set of rules places much bigger and tougher rules and sanctions on businesses for non-compliances and data breaches. It also allows people to have greater control over their data and how it is used and by whom. It also adds consistency to data protection rules across the whole of the EU, making them practically identical.
Why has the GDPR come about?
There’s a couple of main reasons why we needed an update to the old DPA 1998. The EU believe people deserve to have significantly more control over who their data is used and stored. Many big companies (think Google and Facebook!) offer ’free’ platforms and services, however, their fee is access to your personal data.
The DPA 1998 was created and put into place long before we the internet and cloud computing/technology became the multi-armed beast that it is today. This means we’re actually long overdue an update to data security to stop the big data companies exploiting data and loopholes in the, now outdated, Act of 1998.
By making the regulation stronger and clearer, as well as introducing much tougher enforcement of the rules, the EU hopes to improve trust from both individuals and businesses in its ever-expanding digital economy.
The EU is also keen on making the existing rules, as well as the updates, clearer to understand. There are currently a lot of areas that are somewhat open to interpretation (read as ‘exploitation’) allow businesses to often semi-define their own data protection practices. By making the law identical throughout the single market, the EU think tanks estimate that a massive €2 billion will be saved as a result.
When do the new changes come into effect?
Well, technically, the update is already live and in the wild, but businesses have been given a period of adjustment to get their affairs into order before they will begin to punish nonconformists. The GDPR came into force on 24th May 2016 as this was when all EU members agreed to the updated regulations, but there was a 2-year period given to allow a smooth transition.
From 25th May 2015, the law will automatically apply to all business and organisations. As it is a regulation rather than a directive, no new legislation will need to be drawn up by any of the EU member states, also helping allow a smooth transition as well as saving time and money.
Who will be affected by the GDPR?
All members of the EU will be expected to be fully compliant by the May 2018 deadline and, as mentioned above, it will automatically come into effect without the need for new legislation.
What does this mean for Digital Marketing?
Whilst this all sounds very serious (and it is) it’s not quite as stringent as it may first seem, but it does affect marketing in three key areas
- The first is regarding opt-ins, opt-outs, and consent regarding communications. The GDPR stipulates that consent must be ‘freely given, specific, informed, and also unambiguous’, and articulated by a ‘clear affirmative action’. That means you mustn’t assume consent based on non-response or inactivity on the part of the party contacted. It also means that a pre-ticked box hidden at the bottom of a form also isn’t going to cut it. Prospects and customers must clearly consent and understand that their data will be used and that they will be contacted. Businesses also need to keep a record of how and when an individual gave their consent and be aware that the individual may also withdraw their consent at any point they wish. They can also request to view a copy of their entire data record and you legally have to provide this. If your current method for obtaining consent doesn’t meet these new rules, you’ll have to update it sharpish before the GDPR deadline passes in May 2018.
- Any individual has the right to be forgotten. The GDPR puts more control in the hands of the individuals over how their data is collected and used; this means giving them the ability of accessing and removing their data if they require. They are allowed do this when:
- There’s no legitimate reason to process their information
- When they withdraw consent for the original usage terms
- If it’s been unlawfully processed at any point
- The third change is to the legal basis for processing personal data. Practically speaking, this will necessitate better housekeeping on the parts of marketers – and less collecting data for unnecessary, or frivolous reasons.
How can we prepare for the GDPR?
The tougher sanctions on noncompliance with the GDPR will result in big financial penalties – for the larger breaches €20,000,000 or 4% of your annual turnover, whichever is greater. For smaller breaches the fine is €10,000,000 or 2% of your annual turnover; that’s still no laughing matter! This means that your approach to collecting and storing data will likely need to be examined and adjusted accordingly.
Agencies need to ensure they are well able to correctly handle any requests to view, amend or destroy data. Whilst online access to your database is not required for such requests, some kind of access will legally need to be facilitated. The chances are that you’ll likely never have any such requests, but it’s a wise idea to ensure you’re set up to handle them, just in case.
Aside from having internal data storage reviewed and improved, it’s vital that your team are educated as to how the GDPR impacts their job. If all of the team are not up to scratch on the regulations, then one loose cog will bring the whole machine down.
Spend some time and money educating them now, rather than leaving yourself open to potentially very costly mistakes down the line!
As a customer of Marketing Signals, if you have any questions or concerns around how we will be approaching GDPR then please do, get in touch and we will happily talk you through our plans.