The new General Data Protection Regulation (GDPR) has been the centre of much discussion ahead of its implementation, but what is GDPR, and how will it impact the likes of marketing in the UK?
As a small business accountant, the team at Accounts and Legal have been working alongside clients to ensure their companies are up-to-date with the new GDPR directive ahead of its implementation on May 25th of this year.
GDPR is an EU directive, but the Government has confirmed that it will implement the new law whatever form our withdrawal from Europe takes – so there is no point in delaying your strategy in the hope that Brexit will mean its disappearance.
Regardless of Britain’s departure from the EU, the European Union’s GDPR will be a part of the privacy and cybersecurity landscape for the foreseeable future. GDPR will be a legal requirement before Brexit occurs, and, once the UK leaves, the country will still have to follow its obligations when handling the personal data of EU citizens.
In addition to that, GDPR sets the bar for how the British people and their organisations look after the personal data of customers, staff and themselves.
Where marketing is concerned, this completely changes the way we think about handling data.
Direct marketers will need to demonstrate how their organisation meets the lawful conditions. If an organisation cannot prove how they have obtained consent for the use of an individual’s information the likelihood is that they will be fined.
Therefore, marketers must align themselves with the GDPR principles.
The collection of data needs to be relevant for the purpose of marketing. This means if you have run a campaign or competition you can only use the information for that purpose. Creating another purpose to use that information will need further consent from the data subject.
This is bad news for marketing as a common practice has been to grow databases using these methods.
In terms of marketing databases, these will need to be cleansed and reviewed to ensure your organisation can identify whether or not consent has been granted lawfully and fairly, whether it is being used for explicit and legitimate purposes, what data has been collected, and the accuracy of that information.
Consent plays a huge role in digital and direct marketing. Marketing professionals must adhere to a clear set of boundaries which are demonstrated in the following text taken from the regulation.
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The rule of thumb is that consent must be given and not assumed. Already I am seeing corporations update their websites and changing the language they use to clarify the purpose of collecting the data and what it is going to be used for.
Then there is a physical action such as having an opt-in box so they can record how the data subject gave consent. In the past, the purposes of using personal data would have been written in lengthy legal and corporate jargon.
However, in GDPR the purpose has to be unambiguous, clear and simple. If it is not then it will not be accepted.
I have used the term personal data a lot within this blog to clarify, Personal Data is name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If we focus on online identifiers, we can see that IP addresses, cookies, mobile IPs and even search engines will fall into scope of GDPR.
Failure to comply with the new law can lead to a fine of up to €20m or 4% of global annual turnover, whichever is greater.
The rules are also quite clear on the fact that whoever is responsible for the breach – whether an employee, a malicious attacker, or a partner or other third party – is irrelevant; it will be the organisation that foots the bill and suffers any consequent reputational damage.
If, like many organisations, this is all new to you, you’ll have a larger hill to climb. Starting this journey sooner rather than later will minimise the risk of a fine, bad publicity or even a legal process should the worst happen and you’re not ready.
4% of your global annual turnover, or £18 million, is a large price to pay for direct breaches of the GDPR principles, but even a minor breach is likely to cost you 2% or £9 million at the bare minimum.