What is GDPR?
An impending piece of data legislation which needs to be put in context at the outset is GDPR, the General Data Protection Regulation. This is a piece of European data privacy legislation that will become law in May 2018, Brexit or no Brexit, thou some areas are still very grey at this point.
With so many business and services operating across borders, international consistency around data protection laws and rights is crucial both to business and organisations, and to indivduals. Having clear laws in place in more important than ever given the growing digital economy.
The GDPR applies to ‘Controllers’ and ‘Processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the ‘processor’ acts on the controllers behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are the ‘processor’ the GDPR places specific legal obiligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obiligations for processors are a new requirement under GDPR.
However, if you are a controller, you are not relieved of your obiligations where a processor is involved – the GDPR places further obiligations on you to ensure your contracts with processors comply with GDPR.
It will impact all main marketing channels, and makes no distinction between B2C and B2B. As with current UK data privacy law, it impacts all personal (i.e. a person can be identified or is identifiable) data, and states that it must be processed lawfully, fairly, transparently.
Where it goes further however, is in requiring that proof of consent is obtained. Effectively, for email this means Double Opt-In of consent to receive marketing communications. In practice this means:
- The customer ticks the box and gives their email address (first opt-in)
- A further email is then sent to that email address
- The customer clicks on a link in that email to finally consent (second opt-in)
Come May 2018, if you ask for consent via email and hear nothing, you cannot email that consumer again. The key action is to use the window of opportunity between now and May 2018:
- Collect as many DOIs as you can
- This also requires the DOI flag, the date, the permission statement they have opted-in to
- Offer incentives to get their consent
- Expect only circa 5% to consent from each double opt-in attempt – this will be a slow process to get your customers and prospects back to a marketable state
The likely consequence is the consented base of customers will shrink – but be more responsive.
Additional considerations will include:
- Joint Several Liability will apply – the Data Controller will be jointly liable alongside all Data Processors, and also any further Third Parties
- Contractual agreements need to reflect GDPR requirements, across the entire supply chain
- Data Provenance will be vital to determine
- i.e. Where is the data sourced from, Has consent been obtained, Can you prove it, How recently?
- Breach notification plan – notification to ICO needed within 72hrs
- Notification process
- Disaster recovery plan to cater for specific occurrences e.g. Denial of Service attack, hacks, employee breaches
- Applies equally to Third parties
- “technically in keeping with your own” data policies
- send out questionnaires to 3rd parties asking about Data Security – and worry about those slow to respond
- Important to consider data security – not just from the clients perspective, but also the consumer’s
- i.e. protecting the privacy of data subjects
- Privacy Impact Assessments
- a tool to identify and reduce the privacy risks of your projects
- a PIA can reduce the risks of harm to individuals through the misuse of their personal information
- it can also help you to design more efficient and effective processes for handling personal data
We are advising our clients that this need not be as draconian as it sounds - proceed reasonably now (i.e. do not leave it too late), and start implementing best practice and adherence, and you will be fine. The implications are:
- Act immediately
- Potentially only 5% of people will opt-in per attempt, so as the deadline approaches, your opportunities to send follow-ups to those who have not yet opted-in will diminish
- Think GIVE and GET – give them something in return for their supplying their email opt-in to you – you only have until May 2018 to do that
- Expect that your consented base will shrink – but be more responsive
- Start with your customers for whom you already have Email consent, explain the GDPR changes and that you want them to opt-in – use scare or FOMO (fear of missing out) tactics as necessary. If you don’t explain the importance of asking for this, your opt-in rates could fall by 20%
Use third-party data now, and get as many as possible to opt-in to marketing communications
Read More by following the links below