You may have heard the term GDPR being bandied around, but what does it mean and how will it affect your marketing activities?
What is GDPR?
GDPR stands for General Data Protection Regulation and concerns European privacy and data protection, some regulations are similar to the DPA (Data Protection Act), but the GDPR is not limited to the EU and can apply to any organisation anywhere in the world if they are using the data of EU residents or collecting/storing EU resident’s data. Brexit does not mean that the UK will not be applicable, the GDPR rules will still apply.
The GDPR covers certain ‘rights’, outlined by the Information Commissioner’s Office (ICO) these are:
The right to be informed: You must tell anyone whom you collect data from why you are collecting it in plain language. You must also release the contact details of the data controller, information on any third-party transfers, the data retention period and information on how to withdraw consent.
The right of access: If asked you must provide the individual access to their personal data. The £10 subject access fee, (as was the case with the DPA) has been removed, but a reasonable fee can be charged if the request is deemed unreasonable or repetitive. Information must be provided within one month of receipt.
The right to rectification: If asked by the individual, companies must correct data that is inaccurate or incomplete. This must be done within one month of receipt.
The right to erasure: The individual can ask for their information to be deleted if there is no reason for it to be held or processed any longer.
The right to restrict processing: The individual can request the processing of their data to be blocked or suppressed. If requested this means the data can still be held but cannot be processed further. This can happen in a couple of circumstances, when the individual is contesting the accuracy of the data or where they have objected to processing.
The right to data portability: The individual has a right to request a copy of their personal data for their own use. The data must be provided to them in a structured and readable format, free of charge and within one month.
The right to object: Individuals have the right to object to their data being used for profiling and processing.
Regarding direct marketing you must stop processing the individual’s personal data as soon as an objection is received, there are no grounds for refusal. You must comply free of charge and you must let the individuals know of their right to object at the first point of contact and in the company’s privacy notice, this must be presented clearly and separately from any other information.
What are the key take-aways for those in marketing roles?
- When collecting personal data be specific about what purpose the data will be used for and outline this in plain English at the opt in stage
- The individual must be able to agree to one specification, regarding the use of their data, but not the other. For example, they can consent to receiving newsletters about cars and not about third party offers.
- Consent cannot be assumed, this means no pre-checked boxes when collecting data
- Individuals must opt in to being contacted, not be opted in automatically and then have the choice to opt out
- Both controllers and processors of data are now responsible
- You must have in place the means to track down and potentially delete personal data if required. You must also keep track of what the data was collected for and how consent was gathered
- You as the company should make sure that the data stored is seen by as little people as possible and the data is stored in a secure location where it can only be accessed by the relevant data controller or processor
- Companies should be transparent about where the data is stored and what kind of data is being held
- Companies not in the EU should check their data sources to make sure, if they do have EU resident’s data, that it’s compliant
- Larger companies with lots of data will need to have data systems that interact with one another. For instance, if you have opt out’s or removal requests being logged on your CRM, but this is not processed through to your email marketing system and an email is then sent to someone who is opted out, this will be seen as a data breach. This more than ever requires the use of fully integrated marketing solutions and intelligent systems that ‘talk’ to one another.
The GDPR compliance regulations will come into force on the 25th May 2018. Penalties for not complying with GDPR regulations can result in a fine of 4% of a company’s annual turnover. It may be necessary before this date to do a full data audit of all the current information your company holds to make sure it’s compliant, you may also be obliged to review current processes which involve using and handling personal data.
Here at Pull we offer an email marketing service which considers the new GDPR legislation and becoming compliant for email marketing. To find out more information about the service email: firstname.lastname@example.org
The above review is no means an exhaustive list of everything the GDPR will cover and it’s essential to educate yourself on what the GDPR will mean for your business.
The links below provide a starting point for your own research: