GDPR – What you need to know about the General Data Protection Regulation Published April 25, 2017 The General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018 and impacts every organisation that uses personal data from EU citizens. This regulation doesn’t just affect consumer marketing – it applies equally to companies conducting business-to-business activity within the EU too. And unlike the current Directive on Privacy and Electronic Communication, it will be law in all EU member states. According To the Direct Marketing Association, it marks big changes in the way organisations manage their email marketing, especially how they seek, collect and record consent (DMA, 2017). We’ve taken a look at what the industry experts are saying about GDPR – how it will impact marketers, data collection and what your organisation can do to prepare. It’s not bad news… This new law shouldn’t be regarded as an inconvenience – there are big benefits for both those seeking greater control of their data, and for marketers wanting to build trust. According to Net Security, data breaches hit a record high in 2016 with an increase of 40% from 2015 (Help Net Security, 2017). Ultimately the regulations governing data use needed to be reviewed and will modernise Europe’s data protection laws for the first time in over twenty years (Computer Business Review, 2017). As Andrus Ansip, Vice President for the Digital Single Market at the European Commission claims “(the GDPR) …is a major step towards a Digital Single Market. It will remove barriers and unlock opportunities. The digital future of Europe can only be built on trust.” (European Commission, 2015). And we’d have to agree – potential customers will be more likely to offer their data if they know their personal information is secure and less likely to be misused. Once the new rules are brought in across the EU, businesses will be clearer about what they can and can’t do with data they hold and there will be less confusion about the restrictions in different markets. This will open-up the playing field to many more organisations wanting to operate across Europe, who can do so safe in the knowledge that the data they have can be used to communicate with others regardless of geographical borders. Most strikingly, many experts claim that the new regulations will result in cleaner, more relevant and more up-to-date data (Gemalto, 2016). And this change will force marketing departments to stop judging success by the size of their database but by the quality of it. Companies will benefit from far better insight into their end users as a result of better analysis of data that’s not muddied by irrelevant or old information held on outdated databases (Gemalto, 2016). So how will the GDPR impact my organisation? The Information Commissioner’s Office (ICO) has issued draft GDPR Guidance in which it has listed seven changes to the way companies handle, collect and store data. Below are the key points taken from the report which are also listed by the Directing Marketing Association: Unbundled: Asking for consent should be separate from other terms and conditions, so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service. Active opt-in: The GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used. Granular: Where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they’re consenting to. Named: Always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organisations that the data will be shared with need to be named. Documented: Maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent. Easy to withdraw: Individuals should be easily able to withdraw their consent. Organisations must put in place simple, fast methods for withdrawing consent and tell individuals about their right to withdraw consent. Freely given: Consent should be freely given by individuals. Further reading: How to Make Sign-Up Forms GDPR Compliant Will Brexit make a difference? The new regulations are aimed at multinationals, so if you are doing business or intend to do business with EU citizens or businesses, then you’ll still need to sit-up and listen – regardless of where you’re based. And with Germany and France representing some of the largest economies in Europe (International Monetary Fund, 2016), it’s likely that it will still be within U.K business interests, to carry on marketing to EU businesses and citizens. Even if you are planning to sever ties from Europe, the GDPR is set to pre-empt the UK’s departure from the EU, meaning UK companies need to prepare to meet these regulations. And regardless of the UK’s membership status, industry expert Kris Lahiri, Chief Security Officer at data software company Egnyte, suggests the UK may even follow suit in adopting the same regulations to maintain business relations with European partners and improve the data privacy rights of its own citizens (Computer Business Review, 2017). What are the consequences? If you fail to comply with the legislation then your company will be fined 4% of turnover or 20M Euro – whichever figure is higher (Allen & Overy, 2016). Citizens will have legal rights to bring about individual lawsuits and make compensations claims in the case of a data breach (Allen & Overy, 2016). So with those two scenarios in mind, it seems this isn’t something you can afford to ignore. If a breach is made then companies must report it within 72 hours and be ready to demonstrate their security and data privacy procedures at a moment’s notice (Computer Business Review, 2017). In an effort to further safeguard data, the GDPR also imposes restrictions on entities transferring personal data outside of the European Economic Area (EEA) with transfers only being lawfully made under limited circumstances (Computer Business Review, 2017). And what about third-party data processors? Lahiri thinks third-party marketing providers will be required to review data procurement processes, and suppliers such as marketing list vendors will need to seek opt-in preferences when selling lists for promotional purposes (Computer Business Review, 2017). According to Ian Moyse, a Non Exec Director of a GDPR training organisation, there is also talk that companies will need to appoint their own Data Protection Officer or face tough financial sanctions (Ian Moyse, 2017). How can my company prepare? The key, it seems, is preparation. According to the experts, companies will need to demonstrate “privacy by design” by storing user data in a pseudo-anonymised way with protection built directly into policies and processes (Computer Business Review, 2017). It’s far easier to build these processes from the ground up rather than trying to retrofit them at a later stage. Lahiri states organisations need to take action now – to prepare for the GDPR by reviewing the systemic ways they use data and looking at what needs to change to meet the new requirements around the “right to be forgotten, right to erasure and the right to data portability.” (Computer Business Review, 2017) To help with the preparation the Direct Marketing Association has issued a series of guides, webinars and articles for businesses preparing for the introduction of the GDPR. And before you panic, remember that many of the rules are similar to those in the current Data Protection Act (DPA), so if you are complying properly with the current law then many experts have said you’ve already got a good starting point to build on. The new law will undoubtedly involve significant enhancement in the systems and processes within your company, so our suggestion is to start preparing now. May 2018 might seem like a long way away but in order to prepare, you’ll need to be aware of what needs to change today.