GDPR: What, where, when, how and why?
Yes that’s right, here’s another article regarding the upcoming changes to legislation known as GDPR.
We’ll hop right into the ins and outs of the legal changes in just a few moments, but for now, this article has been designed to give you an overview of the key changes and implications of GDPR.
If you haven’t heard of this, or have nowhere to begin, read on to understand our key findings.
First a history lesson…
Our current data protection laws here in the UK are as follows:
- PECR – Privacy and Electronic Communications (EC Directive) Regulations 2003
- Data Protection Act (1998)
- Data Protection Directive (1995)
You can read more about these and what they cover, from the Information Commissioner’s Office (ICO) by clicking above.
The data laws in this country needed an overhaul – the DPA is nearly 20 years old and times have moved on!
Almost two years in the making, a combination of Europe’s finest data protection experts have produced their recommendations for the changes needed to make sure data used in this modern age is stored and dealt with appropriately. And so, GDPR was introduced.
What is GDPR?
GDPR stands for General Data Protection Regulation and is the harmonisation of data protection laws across the whole of the European Union. As businesses, we will feel the direct affect on 25th May 2018, but guidance is in place now for businesses.
And don’t worry – Brexit is unlikely to have an effect on the rules.
Who does it affect?
All organisations processing personal data of EU citizens will be affected by the changes. There are no exemptions for size of business and there is no need to have a presence in the EU either. Basically – every business is affected.
What has changed?
- Data processors have increased obligations and liabilities and data controllers are required to be more accountable for the data they hold.
- Data subjects have enhanced rights and as such consent requirements are much stricter
- Transfers of data to outside the EU have changed
- Increased fines – massive fines! More on this below…
The main change that is likely to affect email marketers is the ruling surrounding consent. This means how we gather data and use email addresses for marketing purposes. The GDPR guidance states that Consent must follow these rules:
- Consent must be freely given
- Consent must be Specific
- Consent must be Informed
- Consent must be Unambiguous
- Consent must be given through an affirmative action
- The controller must be able to demonstrate consent
- Written consent needs to be clearly distinguishable from other terms and conditions
- The user has the right to withdraw consent
Here’s the ICO’s guidance on consent – it’s 39 pages so get comfortable and grab a cup of tea.
Consequences of non-compliance
The fines for non-compliance are huge, hence why GDPR should be taken seriously.
The maximum fines for non-compliance are €20 million, or 4% of annual global turnover, whichever is the higher figure. There also be compensation required for breaches to data subjects and not to mention the reputational damage that could be caused.
How does this affect marketers?
From a marketing point of view, you should consider the following:
- Gaining consent – how do you currently gather this, what policies do you need to update, does your website need updating?
- Double opt-in – do you have it, do you need it?
- Using existing data – have you got documented consent for each and every individual?
- Any existing marketing practices that might need to change
Watch the webinar on How GDPR will affect Marketers here.
How can we help?
At the moment, as mentioned above, the finalised guidance is due to be released in December 2017 and so some details are likely to change. For now, the main drive is ensuring your policies are in line with the guidance so that final tweaks can be changed at the start of 2018.
We would like to make it clear that we are simply sharing this with our clients and further audience to make you aware and therefore are not legal experts. We highly recommend consulting the guidance website, which can be found here, and any legal experts you may need for your business.
We can however help with the addition or creation of tools to ensure your data is managed correctly. Tools mentioned above that give consumers choice such as preference centres or double opt in messages can be implemented in your account. If you’d like training on how to use these tools, we can help with that too, ensuring your marketing team are aware of the processes they need to follow.
Contact our team if you have any further questions, and we’ll be happy to help!