Get in shape for GDPR – 2 months to go!
At the end of 2017 we gave an introduction into what the new GDPR was and how it might affect us as digital marketers. Now, with just 2 months to go until it is fully enforceable we delve a little deeper into exactly what you can do to make sure that you’re GDPR compliant and ready for the change!
First, a little recap: The GDPR is the first law of its kind to try and introduce a global control over how businesses handle their data and its security. Whilst it’s already technically in effect right now, a grace period was given to businesses due to the potential enormity of the new regulations – that end on May 25th 2018. After that date, all international businesses need to be sure they’re ready or face enormous fines and penalties!
How confident are you?
Sage, the well-known accounting and payroll software manufacturer, did some market research into how businesses are preparing for the GDPR and made a little infographic highlighting some interesting facts:
- Only 45% of businesses have a plan in place to become GDPR compliant
- Of these, just 66% actually have any confidence in their plans
- 56% of businesses are not clear on the penalties they can face for non-compliance
That’s worrying! Let’s delve a little deeper into just a couple of the more important things we need to do to make sure that we’re addressing these compliance issues… (This is by no means an exhaustive list!)
No More Holidays
Taking data on a short holiday overseas is no longer a legitimate loophole. Previously, the old DPD (Data Protection Directive) allowed businesses to process their collected customer data on overseas servers outside of the EU jurisdiction. This meant they were not bound by the actual rules of the DPD – a little counter productive?! Well, not any more. Whenever a business collects data from its customers inside of the EU, regardless of where that data is then processed, it is covered by the new GDPR.
No More ‘Open To Interpretation’
The older DPD was a little woolly on the exact definition of what counted as personal data. It was assumed this was just the obvious stuff: names, addresses, phone numbers, emails, photos and bank details etc. Under the new GDPR this is more clearly defined to any identifying information, this has been expanded to include more digital identifiers such as IP address, geo-locational information, device-based information, biometric data, and profiling information (demographic and behavioural).
No More Assumptions
Have you ever filled out a form online and, at the end, seen a tick box that says you’re happy for your personal data to be passed on or receive further communications, only to find that you have to untick it to withhold your personal data? Well, that’s gone too. Now you have to leave those boxes unticked by default. Customers have to actively tick the box themselves to allow you to pass on their data or contact them again.
A similar move has been made to clarify consent to terms and conditions too. Previously, consent could be written into a site’s T&C’s and then customers could be asked to agree without even reading them through the use of a simple button in a form. Now any requests for consent must be moved to an obvious place rather than being hidden away – somewhere like a homepage pop up.
The power is now in your hands as the customer. You have the full control of your data for the first time; this includes the right to be forgotten too.
Customers have the right, at any time, to request a full copy of all the data a company holds on them – how, why and where their data is being used, as well as to request that this data is deleted with immediate effect. The company is legally obliged to comply in full. They’ll need to provide a transparent response along with a copy of their personal data, free of charge and in an electrical format. Yes, free of charge – no more sneaky ‘admin fees’ to try and put customers off from such requests.
As a business you may be lucky and never have to deal with a request such as this, however some industries lend themselves to receiving more requests than others. As such, it can’t hurt to prepare a GPDR-friendly request document well in advance. You can use this to explain how you use your customers’ data and how it is stored. You can then just add the relevant personal info you hold. This could help save you a serious amount of time if or when you get any such requests.
So there we go. A few extra points that may help you to better understand what’s coming. As ever, make sure you research the potential implications yourself and look to numerous different sources of information to ensure that you have your facts straight.
As a customer of Marketing Signals, if you have any questions or concerns around how we will be approaching GDPR then please do get in touch and we will happily talk you through our plans.