Do you still feel overwhelmed by what it is and what you need to do? Read our user-friendly post to guide you through.
Unless you’ve been under a large rock for the past couple of months, you will know that as of today, 25th May 2018, the General Data Protection Data (GDPR) is now officially implemented for those who communicate to, or who are part of the EU.
If you’re in the B2C sector you will have already been well underway with your consent strategies, in order to retain your existing customers and working on cleaning your data lists. However, if you’re a B2B business the obligation is not so pressed to act or implement such a strategy, and you may now find yourself behind the curve with little action made. The main message from the ICO is not to panic, and although the new data protection act is a significant change from the proceeding legislation the ICO is just asking companies to be ACCOUNTABLE. As mentioned earlier there is, however, more onus on those communicating directly to customers as part of B2C companies. The ICO has previously mentioned that they are not expecting all companies to be 100% compliant by the 25th, however, there is the expectation that Companies will have an awareness of GDPR, their responsibilities to GDPR and a timeline in which they have mapped out to implement a strategy.
So, if you haven’t managed to implement at least a business plan for implementation then now is the time to do so! In the coming weeks, we will be posting a mini blog series to unpack exactly WHAT GDPR is, WHY it’s being enforced, WHO it affects and HOW you can be compliant. Each post will help break down what is a very complex topic into digestible chunks. It can either be used as a refresher if you’re a GDPR master or a valuable guide if you’re still trying to get your head around it all.
Part One: The answer to the biggest question of all: WHAT really is GDPR?
GDPR (the General Data Protection Regulation) is an evolution of the pre-existing Data Protection Law, which was implemented towards the end of the 20th century (1998). The new regulation (GDPR) has been brought in to reflect activity, platforms, comms and most importantly to protect customers in the 21st century. The law looks to realign data practices to put the customer first and to protect their data.
It is unclear whether GDPR will remain the same for the UK post-Brexit, but what is clear is that for the meantime whilst the UK is still in the EU, GDPR must be adhered to, with the view that a similar adaptation will be in place for the UK in May 2019.
What constitutes personal data?
Personal data is detailed to be any information that could be used to identify a person, directly or indirectly, especially by reference to an identifier. This includes information such as:
Online identification (IP address)
These regulations apply to both physically and digitally held data.
According to the ICO, fines have always been in place under the Data Protection Act, however, an increased level of fines have been implemented to incentivise companies to sit-up and listen to GDPR. Potential fines could be in the region of €20,000,000, or up to 4% of annual worldwide turnover (whichever is greater). Some companies have decided to totally scrap their data in fear of the repercussions or have avoided any form of investment into the scheme due to the resource required to process. Notably, one of the most publicised examples of such a drastic move was JD Wetherspoons, who totally culled their data totalling 700,000 contacts (https://www.marketingweek.com/2017/07/05/wetherspoon-data-email-marketing-gdpr).
But what defines consent?
The law’s definition of consent is as follows;
‘’Any freely given, specific, informed or unambiguous indication of the data subject’s wishes by which or he or she, by a statement or by a clear affirmative action, signifies an agreement to the processing of personal data relating to him or her’’.
What do we need to do?
Companies are required to process, comply and protect any data they hold, be that if they are a B2B, B2C company or even employee data.
To adhere to GDPR, the ICO specifically indicates an emphasis of ‘lawful processing’ of the data. It is important for companies to identify their lawful process and to adhere to this consistently, not just before and after the implementation.
Consent, as mentioned above, must be obtained for the data subject, whereby steps must be made pre and post-consent to ensure a valid ‘contract’ between both parties is established. Processing of any data held is required from a legal standpoint to provide protection to the data subject which must be conducted in a lawful manner.
Don’t worry, we will be detailing the specifics in the HOW blog, in Part 4.
Look out for Part 2 of the series which will further expand upon WHY GDPR is a positive opportunity for marketers and not something to fear.
Flexible in nature. Dynamic in delivery. SWC your one-stop agency for your marketing needs.