MARKETING

Is your
data safe?

5 MINS READ

MARKETER’S GUIDE TO GENERAL DATA PROTECTION REGULATIONS (GDPR)

  • GDPR comes into effect 25 May 2018
  • The UK’s decision to leave the EU will have no effect
  • It governs the way businesses are required to collect, process and secure the personal data of the individuals they do business with
  • GDPR applies to ‘personal data’ and looks towards organisations having a “culture of privacy”
  • In the UK, the Information Commissioner’s Office (ICO) will be responsible for its regulation
  • The principles of the GDPR are similar to those contained within the Data Protection Act, which the GDPR will replace
  • Currently there is no distinction in the GDPR between B2C and B2B personal data

safe data

‘More than 40% of UK marketers say their business is NOT READY for the changes in the forthcoming General Data Protection Regulation.’

Source: DMA Oct 2017

“The General Data Protection Regulation… provides more protection for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection… make no mistake, this one’s a game changer for everyone.”

Elizabeth Denham, Information Commissioner

THE SIX PRINCIPLES OF GDPR

GDPR is underpinned by six principles. In summary, personal data should be:

Processed lawfully, fairly and in a transparent manner in relation to individuals

Collected for specified, explicit and legitimate purposes and not processed beyond those

Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed

Accurate and, where necessary, kept up to date

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Processed in a manner that ensures appropriate security of the personal data

DEFINITION OF PERSONAL DATA

Any information relating to an identified or identifiable living person (‘data subject’). In practice this could cover names, email addresses, phone numbers, date of birth, bank details, address, etc. This can be:

Files on
a computer

Files on a hard drive/usb stick

Paper
files

CCTV
footage

Video
footage

Audio
recordings

DATA CONTROLLER VS. DATA PROCESSOR

The GDPR applies to ‘controllers’ and ‘processors’

A controller determines the purposes and means of processing personal data

A controller determines the purposes and means of processing personal data

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

LEGAL GROUNDS FOR DATA PROCESSING

There are six legal grounds through which you can process personal data:

The data subject has given consent

(double opt in and be able to prove they did double opt in)

It’s necessary for the performance of a contract

It’s necessary for the controller to comply with a legal obligation

It’s necessary to protect the vital interest of the data subject or other natural person

It’s necessary to perform a task in the public interest

It’s necessary for the purposes of the legitimate interest pursued by the controller or third party

BREACHES

Any data breaches need to be reported to the ICO within 72 hours of learning of the breach.

ACCESS REQUESTS

An individual has a right to ask what information is held about them and for what purpose. These need to be processed quickly and free of charge.

THE PENALTIES

Any information relating to an identified or identifiable living person (‘data subject’). In practice this could cover names, email addresses, phone numbers, date of birth, bank details, address, etc. This can be:

If an organisation breaches the GDPR, fines could reach €20 million or up to 4% of global annual turnover of the previous year, whichever is highest.

However, the GDPR allows for warnings, reprimands or temporary suspensions of data processing. It’s unlikely a maximum fine will apply in every case.

But consumers can claim compensation from data controllers or processors who infringe the regulation for damage they have suffered.

The GDPR outlines the criteria that will be applied when the ICO is considering a sanction:

  • The nature, gravity and duration of the infringement
  • Whether the infringement was intentional or negligent
  • The data controller’s steps to mitigate any potential damage
  • How the regulator found out about the non-compliance
  • Adherence to a particular code of conduct

RECOMMENDATIONS

Complete
information audit

Create internal GDPR policy and implement

Update privacy policy, create double opt in process and a preference centre / privacy dashboard

Investigate the best combination of CMS and mailing platform

Speak with all third party processors and implement agreements

Staff awareness
and training

The ICO’s website has a twelve step plan to help organisations prepare for the GDPR. It sets out advice around making sure key decision makers know the law around personal information is changing, documenting the information the business holds, and reviewing privacy notices.

SUMMARY

Keep up-to-date

The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate and remove those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.

Emberson runs regular free seminars on on GDPR and Data Management.

FIND OUT WHEN THE NEXT SEMINAR IS TAKING PLACE