What is the GDPR?
The General Data Protection Regulation or GDPR is legislation that is coming into effect on the 25th May 2018. It is a new EU regulation that is attempting to unify how countries in the EU approach data protection and the security of personal information. And, despite Brexit, the UK is very much included in this new regulation, as any country that wants to trade with countries in the EU must be compliant.
The GDPR aims to give citizens of the EU greater control over their own data, and to give them confidence that their personal information is being protected by the companies they choose to give them to.
What does the GDPR mean for your business?
The main way that this could affect you and your business is regarding the collection, use and transferal of personal information. Think about those email pop-ups on your website, those details your customers enter when they place an order, and your CRM system containing the contact information of all of your clients. All of these are examples of collecting data, which will now be being heavily controlled and regulated, with severe penalties for those that do not comply.
Personal data includes:
- Email addresses
- Bank details
- Updates on social networking websites
- Location details
- Medical information
- Computer IP addresses
Let’s delve a little deeper. What rights will the individual be given with regards to their own data?
- The right to access. Citizens will have the right to request access to their personal data and ascertain how their data is being used by your company. You also have to provide a copy of the personal data that you have on file for an individual, for free, if they request it.
- The right to be forgotten. Individuals will be able to request that their data be deleted by your company, with strict penalties if you do not oblige.
- The right to data portability. Your customers will gain the right to obtain their personal data and transfer it to another service provider. For example, a bank would be required to give their customer access to their own data (in a commonly used and machine readable format like a CSV file) for them to accurately ascertain whether they are getting the best possible deal from the bank on a third party comparison website, and to switch if they are not.
- The right to be informed. Your business will have to be very transparent in informing individuals when you gather their data. Customers will have to opt in, perhaps double opt in, to give their consent. It is thought (but not confirmed) that the company would have to have a double opt in for a newsletter sign up for example, which has some important implications for your email marketing, especially if you’re currently collecting email addresses with an auto selected tick box.
- The right to have information corrected. Individuals will have the right to update their personal data if it is incorrect or out of date.
- The right to restrict processing. When an individual restricts the processing of their data, you are allowed to store it but not use it in any way.
- The right to object. An individual will have the right to stop the use of their data in your direct marketing, and the use of their data must desist immediately on their request. This must be made very clear to individuals at the point that you collect their data, and also must be a very simple process to implement. This means that any complicated and overly long unsubscribe processes (are you sure you want to unsubscribe? Are you sure you’re sure?) will result in penalties.
- The right to be notified. If there has been any kind of data breach which has or might put personal data at risk of being compromised, the affected individuals must be informed within 72 hours of the discovery of the breach.
So, what does your business need to do about the GDPR?
According to Dell & Dimension Research, 97% of companies don’t have a plan in place for when GDPR kicks off in 2018. So, we thought we would share a few examples about what your company needs to do prior to the regulation being enforced, with reference to your website and your marketing. Note, this is in no way an exhaustive list of what needs to be implemented, only a few examples of some of the things you must change. For more information, please see the official EU GDPR website on https://www.eugdpr.org/
In order to sign up for communications from your company, prospects will have to fill out a form or actively tick a box and then confirm they would like to sign up in a second email. The consent to be communicated with must be recorded and time stamped in case the data collection is questioned in the future. The process to unsubscribe must be simple and instant.
If your company buys personal data for your sales team or for your email marketing, the data will have to be qualified by your company before you are allowed to use it. This means you will have to give the contacts on those lists the opportunity to opt out of being contacted by your company. Even if you bought the list from a vendor, it is your company who is responsible for gathering the consent of the individuals.
Again, when they give their permission to be contacted, this must be recorded and time stamped, and it must be detailed which bits of their data they have consented to being stored.
Trade Shows & Exhibitions
Particularly in a B2B business, it is very common to collect or exchange business cards with a new contact, then get back to the office and add them onto a database or CRM system. Due to there not being a double opt in with this method, this will no longer be allowed under the GDPR. How they are going to enforce this, we do not know.
Third Party Vendor Code
What happens if you don’t act?
Without sounding too ominous, the penalties for companies found to be in breach of the GDPR regulations are severe. You could be fined up to 4% of your annual global turnover or 20 million euros, whichever is greater.
So, you need to start putting the necessary procedures, protocols and physical amendments to your website or apps (also across your whole company, HR, IT, Sales… every department collects data in some way!) in place now so that you are compliant come May 25th 2018.
And if you need any help with the marketing side of things, if you need any amendments making to your website, or you need help with anything at all, you know where we are.