The General Data Protection Regulation (GDPR) comes into effect in May 2018 and its implications for digital marketing are significant. The regulation’s aim is to improve and simplify data protection for all EU citizens, residents, and businesses. However, many businesses have been hit by fear as some see the laws as harsh, complicated and not ethical to their commercial interests. But what does it actually mean for digital marketers and what are they able to do to adjust to it?
The GDPR is not as strict or harsh as it has been made out to be but it’s important to remember it does affect digital marketing, in three critical areas.
The first one is about the opt-ins and opt-outs, and the consent regarding communications. All consent must be freely given, specific, informed and unambiguous according to the GDPR, it is vital that you now articulate by a ‘clear affirmative action’. This means that you can’t assume consent based on the prospects inactivity, and any pre-ticked box isn’t going to be enough to meet their standards. The prospects and customers have to agree that their data can be used and that they can be contacted.
The GDPR is there for the citizens and it has been designed to give them back control of how their data is collected and what it’s used for. This will include giving them the option of having their data removed from your data based. By no means should you keep the data longer than needed and for anything else other than it’s intended purpose, businesses and organisations are no longer able to keep anyone’s data indefinitely. European citizens are able to ask you to remove their data when there is no legitimate reason to process their information when they withdraw consent for it to be used on the original terms or when it’s been unlawfully processed.
The third change is the legal basis for processing personal data. This means you’ll need to do a better job collecting data and focus less on the unnecessary data you have collected for ill-considerate reasons. All data gathered from your customers and prospects must have a reason behind it, what do you intend to use it for, for how long would you need to use it. The intended purpose plays a massive role. You can no longer collect data for the sake of having it, by not following this your organisation could face large penalties.
While most of digital marketer’s jobs will go on as before, there are still a few changes we need to be aware of, especially when it comes to collecting and storing personal data.
Where the 1998 data protection act saw internet users gain some control over their personal data, the GDPR will see a massive upgrade to these privacy laws, essentially ushering in a ‘new age of marketing’. Personal data will no longer just be someone’s health records, email address, etc, but will include genetic, mental, cultural, economic and social identity, making defining ‘personal data’ a much bigger challenge.
Many businesses use databases to store personal data; email marketing lists and customer relationship management (CRM) databases are 2 examples which will be affected by the GDPR. While adding pre-selected check boxes for signing up to email newsletters was an ok practice in the past, businesses now need to have ‘explicit confirmation’ of users’ intent to submit personal information to them for the specified purpose. The same goes for CRM databases; businesses will need to make it clear that they will be keeping the submitted data in a CRM database for their use.
As a part of the GDPR, a data protection officer (DPO) will need to be appointed. This person will essentially act as the person in charge of ensuring that customers know what their data is being used for, the point-of-contact for the official data protection body (ICO), and will also respond to any customer requests regarding their data. So, for example, say if Stephen isn’t happy with company A for one reason or another, but wants company B to have his data instead, Stephen can ask company A’s DPO to move the information they have on him over to company B. The process should be quick, easy, and shouldn’t need to get Stephen involved any more than necessary.
So how do we begin to prepare for this? We know it’s still roughly a year away but we should all be paying attention and getting prepared as early as possible to avoid the last minute panic come May 2018. So, where do we start? Reviewing.
Once you’ve completed the audit, you’ll need to make all staff members aware of GDPR and perhaps even go forward and train them on the insides and out – essentially, you’ll want to cover the consequences it’ll hold for the business if the guidelines are not adhered to.
It’s also worth getting a procedure secured in the event that a security breach does happen. How you deal with any breaches will greatly affect your case – if you haven’t taken these steps the consequences could be devastating to your business. An action plan, in this case, is essential. Consider how long it will take you to notify the ICO (in this case, it must be within 72 hours), how you’ll provide the relevant consent, data, and logs of all the information you collect and a case for why the breach could have happened.
The best thing you can do ahead of GDPR rolling out is to get prepared early and ensure you’ve covered all touch points with regards to the information you keep of a personal nature.
This EU GDPR Documentation Toolkit from IT Governance is a great help in terms of the documentation you will need to put in place and help towards preparing your business for GDPR.
The exact details of which fine suits which data-breach crime remains to be clarified. However, the maximum threat of a fine of up to €20 million or 4% of global annual turnover for the financial year to follow seems to be the warning that is being used most heavily. As mentioned, this will be forced upon the most serious of data breaches. One of these serious breaches is related to the processing of personal data and this is outlined in Article 5. It requires data controllers to ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Less severe on the fine scale is Article 32. This Article requires a business to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” of their personal data processing.
Which Article your potential data breach may fall into can be difficult to determine at this point. What is clear, is that the overall penalties are bigger in value and the policing will be stricter. To put this into perspective, it was reported by www.theregister.co.uk last month that TalkTalk’s fine of last year would have skyrocketed to £59 million instead of the £400,000 under the new regulations.
Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.
We’ll help you determine the most effective digital marketing plan for your business.