Are you ready for the EU’s incoming General Data Protection Regulation, better known as GDPR?
Well, it comes into effect in in May 2018, but there’s every chance that you’re not 100% prepared quite yet. According to figures published in Computer Weekly in October this year, more than 40% of marketers still feel that their organisation isn’t ready for the upcoming changes to the data protection rules that are going to affect how we communicate with customers, capture lead information, and how we do our jobs in general.
Other surveys show that GDPR preparation is even further behind. Smart Insights, for instance, surveyed over 200 people, and only 6% said that their company was ready for GDPR.
(Image source: smartinsights.com)
But let’s take a step back a moment and answer an important question before we continue.
What Is GDPR?
The EU’s new General Data Protection Regulation is a big deal. And let’s just be clear from the outset: forget about Brexit – GDPR will have huge implications for practically every business in the UK even after we leave the EU.
Indeed, it doesn’t matter whether or not your organisation is actually located within the EU itself. What matters is whether or not your organisation does business with people or other organisations which are in the EU, or indeed if you handle any form of data that is at all concerned with EU residents. There will be a new data protection bill in the UK after Brexit, though it will implement the vast majority of GDPR – and in any case, GDPR will still affect how UK businesses handle EU residents’ data whether we’re in the EU or not.
(Image source: wired.co.uk)
What this means is that even if you just have a contact form on your website through which you can capture personal data (such as names, email addresses, etc.) from EU citizens, GDPR affects you.
But what is GDPR?
Well, in a nutshell, GDPR is a regulation that provides a new framework for data protection laws. In the UK, it will replace the 1995 data protection directive, which the country’s current laws are based upon.
The objective of the regulation is first to give greater data protection and rights to individuals, and second to “harmonise” data privacy laws across Europe. And that second point is important – GDPR is a regulation, not a directive. Directives are enforced by individual countries, whereas GDPR is a regulation, meaning that it will become law in all 28 countries across Europe as of May 25th 2018.
However – here’s the bit where your ears need to prick up. The risks of noncompliance are huge. Seriously huge.
Are you ready…?
The penalty for infringement of articles 5, 6, 7 and 9 of GDPR is a fine of up to €20 million or 4% of turnover – whichever is higher. The penalty for infringement of articles 8, 11, 25-39, 42 and 43 is a fine of up to €10 million or 2% of global revenue – whichever is higher.
Those are serious figures indeed…
(Image source: computerweekly.com)
How Will the Incoming GDPR Legislation Affect Marketing?
GDPR is a big deal for marketers.
Of course it is – after all, one of the biggest parts of a marketer’s job is to capture the personal data of potential leads, and then use that data to convert those leads into sales.
The incoming changes will affect how we do this in three important ways. Let’s break them down…
Come May 2018, consent regarding communications must be explicitly given by any contact you capture. Currently, you can get away with a pre-ticked check box that essentially implies consent in the sense that users must take an action to “opt out” of communications. Under GDPR, however, those same users must take an explicit action to “opt in”.
Indeed, consent, to use the words of the legislation, must be “freely given, specific, informed, and unambiguous” and be signified “by a statement or by a clear affirmative action”.
This means that you can no longer assume consent even if a prospect hands over their contact information on your website – for they must, in addition, give specific, informed and unambiguous consent that their data can be used and that they can be contacted. A pre-ticked box will no longer be good enough – and indeed, this is specifically mentioned in the legislation.
However, an “affirmative action” can include ticking a box to express consent. It’s the action that matters – users must now actively opt in, otherwise it must be assumed that they have opted out, meaning that they cannot be contacted and their data cannot be used.
Also while we’re on this point, the data subject must also be able to withdraw consent at any time – and it should be as easy to withdraw consent as it is to give it.
(Image source: foiman.com)
The Right to Be Forgotten
The purpose of GDPR is not to be a pain in the neck for marketers – rather, to confer more control to individuals on how their data is first collected and subsequently used. And this means that all individuals should have the right to be forgotten – and under GDPR, they will.
For starters, all data subjects must be provided with a clear means of accessing any data you’ve collected from them as and when they want to. What’s more, as part of subjects having the right to withdraw their consent at any time, they also retain the explicit right to have their data erased and no longer processed at any time.
All prospects have the right to be forgotten, and you must make it so that they can be forgotten in an instant with no questions asked.
The third part concerns what data can and cannot be collected.
Let’s face facts here – many marketers can be guilty of asking users for a little more data than is actually needed. If someone’s subscribing to your newsletter, for instance, do you really need to know what they had for breakfast, what their favourite movie is, or what their preferred social network is?
In most cases, the answer will most likely be – “probably not”.
Of course, we like this data because it helps us build up a better profile of our prospects which allows us to market to them better. However, under GDPR, we will have to legally justify the processing of the data we collect.
So, what this essentially means is that we can only focus on the data that we actually need (no more inside leg measurements (unless you’re selling jeans)) and will have to let everything else fall by the wayside.
Over to You
So, are you ready for GDPR?
The deadline for compliance is only in May, so if you’re not ready, you haven’t got very long left. You’ll need policies in place as all businesses are subject to random audits at any time, and if they are found to be non-compliant – even if no actual complaints have been made – they will be subject to the astronomical fines outlined above.
However, so long as you can always prove that you are GDPR compliant, are obtaining consent in the correct manner, are giving individuals access to their data and the right to be forgotten and only collecting the precise data that you actually need, you should be ok.
Even if you don’t hire in a dedicated data protection officer, becoming GDPR-compliant will still cost you time and money. You will need to train and educate your team, adjust your systems and procedures, and document your policies in case a dreaded audit should come knocking on your door.
We leave you with this six step guide for GDPR compliance from Computer Weekly.
(Image source: computerweekly.com)