GDPR (General Data Protection Regulation) is an EU regulation intending to strengthen data protection for EU citizens and residents. Under its terms, businesses and organisations that offer services or products to customers who are EU citizens are mandated to look after their personal data. And there are some eyewatering penalties for getting this wrong.
Businesses collecting and processing any personal data (a Data Controller as defined by GDPR) will be required to comply with the new regulations from May 25th 2108. This could be data gathered through websites or apps, even internal databases, CRMs or old email.
The full GPDR document is massive document (and not exactly a racy read), so many businesses are really concerned that it will prevent them from legitimate business development activities. The scare stories are not true, so here is our interpretation of the main points as we believe they affect our clients.
A key objective of GDPR is to force businesses using data to be transparent about how personal data that is collected is being used, who by, and for what duration. It requires Data Controllers to be explicit about what data is being processed and the reason. Businesses are also required to state who an individual should contact with regards their data and how its being used.
Under GDPR, businesses must be able to demonstrate proven consent, explicitly given by an individual for example a prospect or client, before their data can be processed. Furthermore, that data may be used solely for the purposes that consent was given. So for example if someone contacts you via a form on the contact page on your website, that does not allow you to add them to your e-mailing list, unless there is a specific opt-in at the same time.
GDPR requires businesses to have a process in place in the event of a data breach. Depending on its severity, a Data Controller has a legal obligation to report a data breach within 72 hours. Further information contact the Information Commissioner’s Office website.
Businesses processing significant amounts of personal data are now required to nominate or appoint a Data Protection Officer (DPO). The DPO will be responsible for monitoring compliance of GDPR within the organisation.
Although many businesses do not fall into this category, we believe its probably good practise to nominate a DPO to ensure that GPDR compliance is achieved sustainably.
Under the GPDR all individuals have the right to have their data removed from your systems and if an individual asks you to remove their data, you must comply.
privacy should be built-in.
GDPR promotes the concept that when digital systems are developed, individual data privacy must be a prime consideration. In practise this means that, where relevant, any privacy settings should default the highest level, with options to downgrade.
not complying with GDPR – the bottom line.
the maximum sanction for non-compliance with the GDPR is an eye-watering 20,000,000 Euros, or up to 4% of your annual worldwide turnover, whichever is the greater.
Be aware that if you are using applications like Google Analytics, MailChimp, Lead Forensics, these would be classified by GDPR as third-party data processors. With code on your website, or storing data in the case of Mailchimp, they are processing data on your behalf. You need to make individuals aware of this. Most (but certainly not all) of these systems are run by US-based companies who will be going through the process of becoming GDPR-compliant at this very moment, if they have not already done so.
Please note… whilst we’re ready for GDPR, and are confident it’s a good thing for marketers and consumers alike, we’re not lawyers and this blog does not constitute legal advice. The ICO continues to produce GDPR guidance so keep an eye on their webpage for updates.