Tuesday, 27th March 2018
Like many companies, we’ve been grappling with the issues in and around the General Data Protection Regulations (GPDR) which come into force in May.
As a marcoms business, we not only hold and process data on our own account, but also manage data on behalf of a number of clients. So, it is important that we understand the details of the new regulations so that we can advise clients accordingly.
Like many of you out there, we’ve read various articles and guidance papers, attended the odd free-to attend seminar but, so far at least, have avoided investing in external training courses or subscribing to online portals with downloaded resources.
If the whole subject of GDPR is a massive turn off, here’s the executive summary from the viewpoint of a CEO of an SME marketing communications agency: -
If I still have your attention, here’s a little more detail behind that summary.
GPDR - What is it?
GDPR is a new European-wide General Data Protection Regulation – effective 25th May 2018. It harmonises data protection laws across Europe (it will still be valid in the UK post BREXIT), replacing the 1998 Data Protection Act.
It imposes new regulations for organisations to protect consumers around data control, access and security, plus tougher enforcement for breaches. However, many principles of the GDPR are similar to existing UK DPA (six principles replace the previous eight).
What is all the fuss about?
It mainly revolves around the issue of Personal Data, which - in essence - means any information that could relate to an identifiable, living being. In practice, for many businesses or organisations this could cover anything from names, email addresses (business and private), phone numbers, bank details and also photographic or video images of that ‘data subject’.
Under the incoming GDPR regulations, personal data should be:-
Can we ignore it?
Not really. Breaches can trigger significant fines (the higher of 20m Euros or 4% of an organisation’s global turnover) – this compares to the maximum fine previously under UK GDP which was £0.5m
There are six legal grounds for processing data under GDPR. These range from the data subject giving consent, it being necessary for the performance of a contract or to comply with a legal obligation, through to protecting the vital interests of the data subject or to perform a public task in the public interest. Importantly, it can also be necessary for the purposes of legitimate interest.
At the same time, the GDPR introduces and strengthens a number of rights for individuals, including the right of access (now specifically within one month and replacing Subject Access Requests) and the right to erasure (AKA the right to be forgotten).
Isn’t this just more red tape?
The burden of compliance will vary significantly across different organisations, with size, amount and complexity of personal data stored/processed and the frequency of such processing all factors in the approach to be taken.
Time will tell, but it is our view that smaller entities who already take a responsible and systematic approach to data management and deploy a pragmatic, risk-based approach to the introduction of the GDPR, fundamentally have little to fear.
Reviewing the way things are done in any organisation often provides the spark for innovation and finding ways to do things more efficiently and effectively, which is seldom a bad thing.
How will it impact our marketing activities?
The biggest shake up – at least from marketing perspective - is around how personal data can be used for marketing purposes and how it is stored and protected, at the same time strengthening the rights of data subjects.
The good news is that Direct Marketing (DM) is specifically referred to as a legitimate interest in the GDPR. However, for such an interest to exist there should be ‘a relevant and appropriate’ relationship between the data controller and subject and, it should be assessed whether the individual would ‘reasonably’ expect their data to be processed at the time and context in which the data is collected. Also, the use of ‘legitimate interest’ must be a balance between the company’s interest and the rights of the individual.
Many companies, in reality, will continue to rely on the legitimate interest legal ground for their DM activities. A more ‘belt and braces’ approach is to add consent into the mix. However, if this route, is chosen, there are a number of considerations to take into account.
Most importantly, so called opt out consent (which puts the onus on recipient of DM to request to unsubscribe) will no longer wash. Under the GDPR, you can only send marketing communications to customers if they have opted-in to receive them.
Not only this, but you will also need to prove that an individual has done so by recording the who, when and hows and also tracking if that consent has been withdrawn. This will have significant implications for existing CRM systems.
What do we need to do to comply?
Well first of all, don’t panic. Like most projects, breaking things down into bite-sized chunks with task-oriented actions with clear responsibilities/timescales is likely to be highly beneficial.
You will need to undertake a review of your existing data processing and storage routines and procedures, understanding where the key risks lie.
It is also important to ensure that everyone in your organisation understands the scope and on-going requirements contained in the GDPR. This will involve assigning responsibilities at a Group Data Controller (if applicable or necessary), department heads and individual employee levels.
If you rely on data provided by third parties you will want to get GDPR compliance statements in place with all relevant suppliers, while any data processing done on behalf of clients should be covered by data processing agreements.
It is also worth checking Standard Terms & Conditions/Service Level Agreements to ensure any provisions relating to data processing and storage reflect the requirements now stipulated by the new regulations.
What approach should we take on our direct marketing activities?
Clearly one of the major decisions will hinge around whether gaining consent is deemed to be the appropriate basis on which DM activities will be conducted post 25th May.
If this is the case, our current advice to clients is to: -
Where can I get help or assistance?
Every business or organisation is unique, so a good starting point is the Information Commissioner’s Office (ICO) www.ico.org.uk , who are the relevant independent authority in the UK.
B2B Marketing (www.b2bmarketing.net ) have also put together an excellent guide for practitioners in this area.
NC Creative Group can also offer advice and guidance to current and prospective clients alike – email me at firstname.lastname@example.org or call (+44) (0)121 711 6510 to find out how we can help.
CEO, NC Creative Group
Article written 1st March 2018