MARKETER’S GUIDE TO GENERAL DATA PROTECTION REGULATIONS (GDPR)
GDPR came into effect 25 May 2018
The UK’s decision to leave the EU will have no effect
It governs the way businesses are required to collect, process and secure the personal data of the individuals they do business with
GDPR applies to ‘personal data’ and looks towards organisations having a “culture of privacy”
In the UK, the Information Commissioner’s Office (ICO) is responsible for its regulation
The principles of the GDPR are similar to those contained within the Data Protection Act, which the GDPR replaces
Currently there is no distinction in the GDPR between B2C and B2B personal data
‘More than 40% of UK marketers say their business is NOT READY for the changes in the forthcoming General Data Protection Regulation.’
Source: DMA Oct 2017
“The General Data Protection Regulation… provides more protection for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection… make no mistake, this one’s a game changer for everyone.”
Elizabeth Denham, Information Commissioner
THE SIX PRINCIPLES OF GDPR
GDPR is underpinned by six principles. In summary, personal data should be:
Processed lawfully, fairly and in a transparent manner in relation to individuals
Collected for specified, explicit and legitimate purposes and not processed beyond those
Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed
Accurate and, where necessary, kept up to date
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Processed in a manner that ensures appropriate security of the personal data
DEFINITION OF PERSONAL DATA
Any information relating to an identified or identifiable living person (‘data subject’). In practice this could cover names, email addresses, phone numbers, date of birth, bank details, address, etc. This can be:
Files on a hard drive/usb stick
DATA CONTROLLER VS. DATA PROCESSOR
The GDPR applies to ‘controllers’ and ‘processors’
A controller determines the purposes and means of processing personal data
A processor is responsible for processing personal data on behalf of a controller
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
LEGAL GROUNDS FOR DATA PROCESSING
There are six legal grounds through which you can process personal data:
The data subject has given consent
(double opt in and be able to prove they did double opt in)
It’s necessary for the performance of a contract
It’s necessary for the controller to comply with a legal obligation
It’s necessary to protect the vital interest of the data subject or other natural person
It’s necessary to perform a task in the public interest
It’s necessary for the purposes of the legitimate interest pursued by the controller or third party
Any data breaches need to be reported to the ICO within 72 hours of learning of the breach.
An individual has a right to ask what information is held about them and for what purpose. These need to be processed quickly and free of charge.
If an organisation breaches the GDPR, fines could reach €20 million or up to 4% of global annual turnover of the previous year, whichever is highest.
However, the GDPR allows for warnings, reprimands or temporary suspensions of data processing. It’s unlikely a maximum fine will apply in every case.
But consumers can claim compensation from data controllers or processors who infringe the regulation for damage they have suffered.
The GDPR outlines the criteria that will be applied when the ICO is considering a sanction:
The nature, gravity and duration of the infringement
Whether the infringement was intentional or negligent
The data controller’s steps to mitigate any potential damage
How the regulator found out about the non-compliance
Adherence to a particular code of conduct
Complete information audit
Create internal GDPR policy and implement
Investigate the best combination of CMS and mailing platform
Speak with all third party processors and implement agreements
Staff awareness and training
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate and remove those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
Emberson runs regular free seminars on on GDPR and Data Management.