How Will The GDPR Effect You and Your Customers
On May 25th this year, the General Data Protection Regulation (GDPR) will come in to force and set a new standard for consumer rights regarding their data.
What Does GDPR Mean?
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacylegislation in the last twenty years and will take effect from 25th May 2018. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Brexit will not affect the new regulation as the Secretary of State for the Department of Culture Media and Sport has confirmed GDPR will apply from May 2018.
How Will GDPR Affect My Business?
The GDPR applies to organisations processing and holding personal data within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Personal data means any information that can be used to directly or indirectly identify the person, for example;
- Name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Depending on the severity of non-compliance, companies can expect to be fined up to 2% of annual global turnover or €10 million (whichever is highest) for failing to comply with GDPR. For more serious data breaches, companies can be fined up to 4% of annual global turnover or €20 million. Importantly these rules now apply to both controllers and processors.
Additionally, companies will now only have the right to use data for the purpose they were originally granted permission to use it. Which means utilizing it for other purposes than its original one can result in a penalty. If there is a data breach, corporate bodies have 72 hours to report this to a regulator.
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
The GDPR is already causing some concern with U.S. companies, as two-thirds believe that these protocols will force them to rethink their strategy in Europe. What’s more, 85% of companies see the GDPR as putting them at a disadvantage with their European competitors.
One major concern is the use of programmatic advertising, which is heavily reliant on data from third parties and social media sites like Facebook.
Companies will now have to create opt-in/out services which will allow users to not have their data recorded and used without their permission. To companies who approach the new legislation with a positive attitude this could be a blessing in disguise as they will have to be much more focused on people who have a genuine wish to interact with their company, products and services.
Who Can I Email?
An email address at work is personal data, whether that email address is a corporate one or that of an employee of a sole trader/partnership. The Data Protection Act now and the GDPR from 25th May 2018 will apply to the processing of the email address. The difference between sole traders/partnerships and corporates comes when you look at PECR.
PECR deals with gaining permission to send marketing by email. The general rule is that you must gain prior consent to send a marketing email. However, in a B2B environment, there is an exemption for employees of corporates, and you can send a marketing email to these individuals without their prior consent.
In summary, email addresses of corporate employees can be licensed for third party email campaigns.
Legitimate interests would be used to process this personal data as long as all the following criteria are fulfilled:
- A corporate is defined as a limited company, public limited company, limited liability partnership or government departments and can be emailed without prior consent (eg. firstname.lastname@example.org).
- Employees of corporates must be given the option to easily unsubscribe or opt-out from receiving email marketing.
- The product or service being promoted can be purchased by the recipient in a professional capacity.
- The sender must identify itself and provide contact details.
How to prepare
It is recommended that organisations prioritise five specific actions prepare for the GDPR. The first action requires the appointment of an individual to be a contact point for the data protection authority (DPA) and data subjects. The second action requires a data protection officer (DPO) to ensure processing operations are compliant.
The remaining recommendations are to be accountable for all processing activities transparently, investigate data channels across different borders both within the EU and outside it, and prepare for data subjects to exercise their extended rights, in areas such as the right to be forgotten and the right to be informed of a data breach.
IBM have also created a five-step approach to help organisations ensure they’re ready for GDPR. The “5 Phases to Readiness” breaks preparation down into separate steps:
- Assess the GDPR readiness.
- Design an implementation plan.
- Adapt wherever enhancements are needed.
- Create a framework designed to ensure compliance.
- Follow and be up to date on GDPR standards.
What will change?
Whilst it is certain that the GDPR creates a few obstacles, compliance potentially improves your brand’s reputation which can only be a good thing.
A lot of major industry players such as YouTube and Google are actively changing their services to provide a more holistic and less intrusive experience with advertisements which will no doubt be welcomed by consumers and reduce the amount of ad blocking that currently exists.
We could be seeing a whole paradigm shift of our digital networks and businesses providing a safer, less intrusive ecosystem for their users and customers respectively.