What is changing with the data protection rules – GDPR?
We have outlined below some guidelines to show you how you can comply with GDPR, the new data protection rules which come into force in the EU on 25th May 2018. The guidelines are based on information gathered at the Technology for Marketing & Advertising trade show and a presentation given at the Cambridge WordPress Meetup by Howard Elsey at E-Paylogistics.
What exactly is GDPR?
The General Data Protection Regulation (GDPR) is a new ruling which governs the data protection rights for all individuals within the EU. This means they will gain the rights to access, amend and restrict the personal data organisations hold about them. GDPR is about protecting the privacy of individuals. Privacy encompasses the rights and obligations of individuals and organisations with respect to the collection, use, retention, disclosure and disposal of personal information.
GDPR is about transparency, control and consent including the journey of data within an organisation and outside it, even how it is used with other third parties to provide, for example, profiling information. Companies will need to be transparent about how they use customer information and what information they are collecting.
What if I don’t comply with GDPR?
If you don’t comply by 25th May 2018, you could be asked to stop processing your data and/or be given a large fine. You could however make your data anonymous because that way it is not identifiable.
Is GDPR just about marketing data? What about other types of data?
If your organisation employs more than one person you will need to be careful about your employees information too. They have a right to privacy and how their data is used. GDPR applies therefore to the HR department as well as the Marketing department.
There will be customer and employee data and also sensitive data, like health data. It would be risky if this data escaped into the public domain and therefore organisations will need to be extra careful about sensitive data.
Is GDPR about putting the breaks on marketing?
Companies will need to be careful how they market to individuals and only market to them in the way the individuals have consented to be marketed to. GDPR isn’t about putting the breaks on marketing, it’s about doing it compliantly.
The biggest change within the GDPR is the way consent is granted
- With regard to consent the GDPR stipulates that consent must be knowingly and willingly given by the individual.
- Organisations must keep a record of why, when and how they were granted permission (this can easily be automatically recorded within your CRM – customer relationship database).
- There must be details of what they were told at the time (eg how the data will be used such as to offer whitepapers, email marketing, promotions etc)
- Individuals should be given the chance to opt-in and opt-out of each form of marketing e.g. telemarketing, direct mail and email marketing.
- Individuals will have the right to be forgotten and to have all the data on them deleted if they so wish (even from the backup) and the organisation needs to keep proof of this and a note of the date they deleted the data.
- Consent should be fully informed and freely given. It should be revocable, exercise choice and change and be auditable.
What you need to do to comply with the new data protection rules – GDPR
To comply with the new data protection rules you will need to:
- Review all information about your contacts and ensure it has a legal reason for being there. It’s a good opportunity anyway to reconnect with your contacts and check they want to receive marketing communications from you. You can give them the chance to specify which type of marketing communications they wish to receive eg phone calls, emails etc. You will need to record this information in your database/CRM. GDPR specialist, Woodfortrees has an audit tool to help.
- Check you can delete contact names and provide proof of doing so.
- Going forward, allow individuals to consent to different forms of marketing when they give you their contact details and allow them to opt out when they wish. When modifying customer data, there should be no hanging around. It should be done within 30 days.
- Large companies may need a data protection impact assessment to document what’s at risk, how they will mitigate the risk and how they will demonstrate compliance and best practice.
What else do I need to know?
In the unfortunate event of a data breach, organisations must inform the individual that this has occured within 72 hours of the breach. It is also important to make sure your privacy notice is clear, concise and in plain language. It does need to be easy to understand.