GDPR is coming! And don’t we all know it?
Well, perhaps not, as a recent survey by law firm DLA Piper showed that, just six months ahead of implementation, many companies are still struggling to meet the requirements of the new legislation.
DLA’s Data Privacy Scorebox survey showed that the average alignment score with key international data privacy principles was at 31.5% in 2017, against 38.3% percent average in 2016, suggesting organisations are actually less prepared than they were last year.
GDPR represents the biggest challenge faced by marketing and comms teams in years, and it could have a significant impact on the way you source prospects, manage leads and make sales in your organisation. Understanding GDPR and preparing correctly is crucial.
But worry not! In the first in a series of GDPR themed content over the next month, we have put together this simple introduction to the key themes of GDPR, what they mean, and why they are important.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
When does GDPR come into force?
All organisations must be GDPR compliant by 25th May 2018.
What is GDPR?
At its fundamental level, GDPR is a new set of rules designed to give individuals more control over their data. It aims to simplify the regulatory environment for business so both people and businesses can fully benefit from the digital economy.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation.
It introduces tougher fines for non-compliance and breaches and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
What information does the GDPR apply to?
GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including; name, images, an email address, bank details, posts on social networking websites, medical information, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
It’s important to note that ‘personal data’ in a B2B context still applies. There is a common misconception within the marketing community that B2B communications are exempt from GDPR. This is not the case.
If the email address contains a name, then it contains a personal identifier. The exception to this is with generic business addresses. So, for example – firstname.lastname@example.org is a personal email address, so GDPR is applicable, email@example.com contains no personal data, so does not fall under GDPR.
How can this information be used?
Under GDPR, any personal data held or processed by a controller or processor must be used under one of the six defined legal grounds:
Consent: The data subject has given consent for their use their personal data. (Important to understand that the burden to prove consent is on the Data Controller – so consent must be recorded in order to be valid)
Contract: The processing is necessary in relation to a contract which the data subject has
entered into; or because the data subject has asked for their something to be done in order to enter into a contract.
Law: The processing is necessary because of a legal obligation.
Vital Interests: Life and death scenarios – where a critically ill person in an A&E is unable to grant consent for their data to be accessed.
Public Interest: The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions
Legitimate Interest: The complicated one. “Legitimate interest” requires a balancing between the reason and the rights of the individual. In short, if you have no other clear grounds for the communication, but the communication is necessary, it can take place under legitimate interest.
Who does the GDPR apply to?
The GDPR applies to both ‘controllers’ and ’processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. A simple example may be that a client is a controller, and the agency is a processor.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
GDPR stresses shared responsibility. Penalties are applicable to both processors and controllers, meaning that if a third-party breaches GDPR, the end client will also suffer the punishment. This makes it vital that you choose your third parties wisely.
What penalties could you face?
Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
This is the maximum fine that can be imposed for the most serious of infringements.
Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.
Again, it is important to note that these rules apply to both controllers and processors – meaning that responsibility cannot be passed on, responsibility is shared.
What should I do to prepare?
GDPR is deceptively simple – make sure personal data is safe, secure, and is only being used.
It’s important to remember that GDPR compliance is an internal issue for your company. Be wary of any third parties (agencies and suppliers) who say they can make you GDPR compliant without any involvement from yourself or your staff.
Third parties can assist you in understanding the legislation, scope what you need to prepare, and assist you with the implementation of any new strategic, technological and creative endeavours that may need to be actioned as a result of the internal procedures you define, but make no mistake that GDPR is an issue that is only addressed from the inside out.
Systems will be able to safeguard you against GDPR breaches, yes, but breaches will come as a result of an individual misusing those systems, so internal education is absolutely vital in ensuring your compliance.
If you are unsure of how to begin your GDPR compliance processes, Proctors can assist you in the following:
- Introduce GDPR concepts
- Refer you to resources that will help you prepare internally
- Advise on how your marketing strategies are likely to change based on our understanding of GDPR
- Offer opinion on your processes
- Support any implementation of your new internal processes
- Create new strategies, creative and technological solutions based on your confirmed internal processes
We cannot ‘make you’ GDPR compliant, but we can help you.
If you would like to learn more about GDPR then you can read the full legislation – however, we must warn you that it’s a bit of a beast at 88 pages long!
Alternatively, why not join us and other senior marketers in a one-day event as we share practical experiences and thoughts with peers and experts alike.
We’ll cover the legal steps your business will need to take and look at how creativity, data and technology processes can work together to engage audiences from May.