First up, what is the General Data Protection Regulation (otherwise known as GDPR)? It’s new legislation from the EU that is designed to help protect EU citizens and their personal data. Now you may already be thinking – ah, well we won’t be in the EU soon, so it won’t affect me – but think again. The new rules come into effect in May 2018, when Brexit won’t be complete – also bear in mind that even companies that are not based in the EU will have to stick to these rules if dealing with data of EU citizens.
Here we outline the main points for your consideration:
Tick the box
The main issue is consent. People must be able to actively give consent for you to use their data for marketing purposes. That means you can’t have tick boxes that are ticked by default, and which the user must untick to decline consent – they MUST actively GIVE their consent. You also can’t assume consent has been given if there is silence or inactivity from the other party.
Keep a record
You also need to ensure you have clear records of what an individual has consented to, as well as how and when consent was given. This will enable you to demonstrate compliance should there be a complaint against you.
Make it clear
They must also have the right to withdraw their consent at any time – and you must also ensure that the wording of these parts is clear and understandable. And while the fact that subjects have the right to object to direct marketing is already in place, the GDPR will require businesses to ‘explicitly [bring this right] to the attention of the data subject.’
As the Direct Marketing Association has said: ‘the days of consent being buried in small print are numbered’.
Forget about me
The new rules also mean that data subjects have the right to be forgotten, should the data no longer be necessary or when they have withdrawn their consent for it to be used. What does this mean? Well, say they subscribe to your magazine and tick the consent box at the same time. Their subscription expires a year later. It is reasonable for them to be ‘forgotten’ at this time, until a new consent is sought.
Data protection officers
There’s a lot of onus on businesses to do the right thing with data – and if your business meets the criteria, you will be required to enlist the help of a data protection officer to manage this. They will be expected to have specialist knowledge and be appropriately trained – however, they may be an existing member of staff with other duties, or you can hire someone on a self-employed basis – there is no need to employ a full-time staff member.
So, once you are holding people’s data, what are your responsibilities? One major change is that data security breaches – such as hacking, discovery of passwords etc – must be reported to the ICO within 72 hours – and to the affected data subjects if their rights and freedoms are at risk from the breach.
And what happens if you don’t comply with the GDPR? The new regulations will bring in significant increases in penalties – serious breaches can result in fines of up to 20 million Euro or 4% of worldwide turnover, whichever is higher.
Regardless of when Brexit happens, businesses will need to comply with the GDPR when dealing with data from EU citizens – and it is highly likely that Britain will implement its own version of the ruling anyway, as we’ve been championing the cause since the start.
So what to do now? Well, start work on your GDPR compliance now.
Finally, bear in mind that consent and privacy are no longer going to be issues that can be hidden in the small print, and take a look at all the places this will apply – emails, your website, social media, contracts and forms, printed materials – leave no stone unturned. Then you will be ahead of the game come 25 May 2018.