GDPR: what’s all the fuss about?

The new GDPR legislation due to come into force in May next year aims to give individuals control of their own data and outlaw misuse of data by unscrupulous companies. But, while it’s hard to imagine rogue traders losing any sleep over laws they will likely ignore anyway, GDPR seems to have thrown the marketing community into turmoil and confusion. So what does the legislation cover and how will affect how businesses can contact potential customers?

What exactly is GDPR?

The General Data Protection Regulation (GDPR) is new EU legislation that will govern how personal data is collected, processed, and stored. It has already been finalised and we are currently in the two-year grace period for implementation, which comes to an end when GDPR comes into force on 25th May 2018.

The main changes to current data legislation are:

  • Increased breadth and scope: personal data will be defined as anything that could be used to identify a ‘data subject’, including computer IP addresses. Plus, the regulation now applies to all companies that process personal data of EU citizens, wherever those companies are based.
  • Increased penalties: these will now be up to £20million or 4% of annual global turnover (whichever is greater) for serious infringements.
  • Increased control: data subjects will have the right to be ‘forgotten’ with their data erased; the right to access data held on them; and the right to request data to be passed to a third party.
  • Increased transparency: data subjects must know what data will be held and how it will be processed. Plus, companies must specifically name any other businesses the data will be shared with.
  • Increased rigor around consent: companies marketing to individuals are now required to gain active opt-ins that are explicit (instead of implied) and unambiguous. 
  • Increased security: companies will also need to be able to demonstrate how they are keeping data safe and must report any data breach within 72 hours.

How will it affect marketing?

This will depend who you are marketing to, as the rules are different for individuals and companies.

Marketing to an individual (or sole trader or partnership): for direct mail and telephone marketing only an opt-out must be given (the same as now), but for email and SMS marketing, there must be an explicit, unambiguous opt-in process. This consent must not be bundled with other terms and conditions, clear opt-in statements must be used, and subjects must actively tick a box or click a link. Plus, separate consents must be sought for different types of processing wherever appropriate.

Understandably, this has caused considerable alarm for businesses that rely on direct marketing (including market research companies). But thankfully, telephone and direct mail remain opt-out under the new rules. What’s more, while consent from the data subject obviously allows you to contact them, ‘legitimate interest’ can also be used as justification. Under this provision, direct marketing will be allowed because it is reasonable to assume individuals would expect a business to promote its products using basic information. There is naturally some confusion over how exactly legitimate interest is defined - and more guidance from the Information Commissioner’s Office (ICO) would certainly be welcome.

Marketing to employees of a corporate (e.g. limited companies, LLPs, partnerships in Scotland and government departments): telephone, direct mail, SMS and email are all opt-out. This means you do not need to have prior consent to contact them, but you must provide a clear and easy way to stop them being contacted for marketing purposes in the future if they want to opt out. However, the rules governing marketing to corporate employees also comes under the Privacy and Electronic Communications Regulations, which are currently under review, so this could change. Several trade bodies and associations are lobbying for the interests of the direct marketing community, so watch this space.

If not much is changing, is it just scaremongering?

GDPR is something that every company needs to take seriously, even if they think they will not directly be affected right now. The Government has said that even post-Brexit the new laws will apply, so there is no escaping it. Plus, the penalties are much tougher than before – up to £20million or 4% of a company’s turnover. There could even be criminal proceedings against executives if there is a serious data breach.

The biggest fear factor here is ignorance. Many companies collect data as a part of doing business (e.g. billing information, addresses, location information, email addresses, social media handles etc), but they do not always explain (or in some cases even know) how that data will be stored and processed.

Under the new regulation, companies must have a clear policy for data collection, processing and security. Clean, accessible data that has been responsibly gathered offers many advantages, such as analysis and insight, as well as diminishing the risk of a potentially costly and embarrassing data breach. Plus, if there is a good understanding within the business of why data is being collected, it is more likely to be used effectively instead of languishing on a server until it is out of date.

What should I do now?

For responsible companies already treating customer data with respect, there will be very little change, other than perhaps tightening up on privacy policies and ensuring accurate records are kept.But you can be sure you are ready for the May 2018 deadline by taking these steps:

1)    Be informed. The most reliable places to get information are the ICO (ico.org.uk), the DMA (dma.org) and the dedicated GDPR website (eugdpr.org). There is also a very thorough ICO guide to consent here. (link: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf)

2)    Be aware. Identify now if and how your company will be affected. If you are mainly marketing to corporate companies, very little will change. But if your marketing efforts are also aimed at sole traders/partnerships, you need to look at whether or not you have their consent under the new GDPR rules to contact them via email and SMS. If you are using legitimate interest as your reason for contact (as opposed to consent), make sure you have thought about and documented how you justify the legitimate interest.

3)    Be organised. Categorise your data so it is clear where sensitive data resides, and try to map the flow of data through the company so you can be sure who sees it and how it is processed. Think about appointing someone to be responsible for your customer data.

4)    Be risk-aware. Make sure you have security measures in place and a process for what to do in the event of a data breach.

5)    Be thorough. Where consent is required, make sure you can prove that it was given and when it was given. Check that previous consent processes for existing data would stand up against new GDPR rules.

6)    Be transparent. Tell data subjects how you will use their data, clearly explain the benefit to them, and make it easy for them to stop receiving marketing from you.

7)    Be forward-thinking. Wherever possible, start gathering explicit consent in order to increase the strength and quality of your marketing data.