The 25th May 2018 marks the day that GDPR comes into force around Europe, and it's about to change the way many of us do business
A recent session I attended brought home not just the stark realities of the fast approaching GDPR, but also the plethora of unanswered questions that need addressing.
In this article, I’m going to be addressing some of the key issues we may be presented with, in the run-up to May 25th, whilst providing you with some actionable takeaways to make the transition as smooth as possible.
What is GDPR?
According to the GDPR Europe website, the whole purpose of this reform is to give EU citizens control over their personal data, as well as harmonizing data privacy laws across Europe. So, whilst it will be giving the power back to ‘the people’, the regulation should make things easier for organizations working across borders by providing consistency.
Looking at GDPR legislation from a personal perspective, you, as a data subject, now own your data. This change is as a result of a big focus on EU citizen rights, meaning that the organizations that previously worked by the mantra ‘we had to work to get your data, therefore we own it’ are in the wrong. Instead, everyone has the ‘right to be forgotten’ if they so wish.
Additionally, there have been amends made to the definition of personal data. Previously, this was decided by each of the 28 countries, who developed their own individual interpretation of what constituted personal data. Now, the GDPR supersedes any previous meanings and will be enforcing a strict, yet broad definition of exactly what personal data is.
The GDPR refers to it as any information that could be used on its own, OR in conjunction with other data to identify an individual person. If you’re looking for a little more detail Article 4 is an essential read.
From an organizational perspective, as individuals now own their data, companies must attain explicit consent from the individual to use, store and manage their personal data. This must be done whilst disclosing the intended use, and the duration of storage of the data.
Why do I need to worry now?
Discussions began as early as 2010 about a reform to the 1995 EU Data Protection Directive, with the General Data Protection Regulation (GDPR) finally being approved by the European Parliament on 14th April 2016. With over two years’ build-up to the implementation of the regulations, there’s more than enough time to get your compliance sorted.
Once 25th May 2018 rolls around, the governing bodies will begin implementing penalties; and non-compliance with GDPR can come at a hefty price.
What are the repercussions for non-compliance with GDPR?
There have been some steep fines for non-compliance put in place to deter even the most relaxed of finance teams.
Previously, under the Data Protection Directive, a breach of the rules resulted in a maximum fine of £500,000, with data controllers taking sole responsibility for it (unless otherwise stated in a contract). Under GDPR, if a violation occurs, organizations can be fined up to 4% of annual global turnover for breaching regulation, or a fine of €20 Million - whichever is higher.
€20 Million or 4% of annual global turnover is the maximum GDPR non-compliance fine that can be imposed, and will only be enforced for the most serious infringements. However, as you may suspect, the repercussions are dished out in a tiered system:
- Issue warnings;
- Issue reprimands;
- Order compliance with Data Subjects requests;
- Communicate the Personal Data breach directly to the Data Subject
- 2 tiers of administrative fines that will in each case be effective, proportionate, and dissuasive.
The maximum fine for the first tier is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater.
The maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater.
How will GDPR affect marketers?
There is already a great post about the implications of GDPR on marketing in the UK and Europe, which I highly recommend you read in full. But a brief overview never hurt anyone!
The roles that will be affected the most are Email Marketing Managers, Marketing Automation Specialists, and Public Relations Executives.
Email marketing managers will need to be particularly careful with data permissions, by ensuring users opt-in to your email campaigns and consent to being contacted in a ‘freely given, specific, informed, and unambiguous’ way, which is cemented by a ‘clear affirmative action’.
Marketing automation specialists should be wary of emails sent out by your CRM database. You need to make sure every name and email in your automation system has given you explicit permission to be contacted.
This one might not appear to be all that obvious, but PR execs need to be careful when marketing to an employee of a business. So, for example, sending unsolicited pitches may prove problematic.
Where do I start?
If you’re one of the 94% of companies who aren’t ready for GDPR, you might be panicking a bit, you may even be asking yourself ‘where do I even start?’
Steve Henderson of Communicator pulled up this slide which takes you through the stages necessary to prepare for the GDPR.
Image courtesy of Silverbean
Starting your preparations for GDPR
The first stage is a simple audit. Understanding your data flow is crucial, so by conducting an audit of your current processes you’re off to a strong start. Whilst organizing your audit, you should cover these areas:
- How are you collecting data?
- How are you using the data?
- Who are you sharing the data with?
- How are you storing the data?
- Finally, how you are deleting the data?
Once you have fulfilled this data audit, you must cross-reference this with the new regulations to ensure you comply. The next stage from here, is to organize a project to fully adopt and adhere to GDPR regulations.
In order to start this project, you should bring a team of people together to implement the new regulations throughout the business. Typically, it’s advised that this team consists of key stakeholders such as heads of departments, representatives from legal and governance functions, finance and human resources. At this point, you should emphasize the importance of this project to your team.
The success of implementing the GDPR, as with any other, will hinge on setting targets and milestones. As confusing as the GDPR is, scheduling dates for key deliverables allows you to organize everything around one clear framework. For example, aim to have your audit completed by the end of November.
Just a few other areas that need to be considered include (but are not limited to):
- Identifying new types of personally identifiable information
- Delivering a GDPR awareness initiative
- Appointing a data protection officer
- Updating privacy notices
Within your project schedule, be sure to allow time to evaluate its success. The GDPR is going to necessitate a range of new policies, procedures, and processes and it can be a lot for a business to adopt. Ensure a smooth transition by proposing ‘what if’ scenarios and appropriate GDPR solutions. It’s advisable to start the evaluation phase by January 2018, as to provide plenty of collateral
GDPR controller vs processor: Who is to blame?
Originally, the EU Data Protection Directive determined only the controller was liable for data protection compliance, not the processors. However, the GDPR places direct statutory obligations on data processors. This means that data processors may be subject to enforcement by supervisory authorities.
What is a data processor?
Data processors usually operate computers and other communications equipment in order to input data as part of a larger data processing system. A data processor, in relation to personal data, is an individual who processes the data on behalf of the data controller.
Contrary to previous legislation, a data processor can now be held financially accountable for non-compliance and compensation claims by data subjects.
What is a data controller?
The definition of a GDPR data controller is the natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data.
The GDPR controller and processor are jointly liable for any breaches.
What should I do?
Any changes take a while to implement, so ensure there’s time specified in your project plan for data controllers and processors to adopt new order.
- Firstly, you should identify, review and (potentially) revise their data processing agreements, making sure they’re compliant with the GDPR.
- Consider the processes for resolving disputes regarding liabilities in order to settle potential compensation claims, given the new joint liability clause.
- Be sure to have clear documentation and recorded procedures in place to prove you meet the new standards.
What do you do with your historical data?
Historical data should be reviewed and, where appropriate, revised to ensure it’s in compliance with the new law. It’s advised to avoid the mistakes of the likes of Honda and Flybe, who used their historical data and distributed service messages, even to inactive users, asking that the recipients opt-in or out. Essentially, in an attempt to adopt a new legislation, they broke it.
Unless you’re willing to suffer a fine, don’t contact all of your users offering the option to opt-in to your email campaigns. Instead, you should only contact your active users and request that they update their contact details and be explicit about your reasons for getting in touch.
Repercussions of this
The Privacy and Electronic Communications Regulations 2003 stipulates that an organization needs consent to issue electronic marketing and that individuals have the right to request that the organization cease all electronic marketing.
In both of the examples above, the ICO considered the emails as constituted direct marketing, even though they were presented as humble service messages. As a consequence, the ICO fined both companies a total of £83,000 for breaking the rules. The GDPR will impose even higher standards of consent than this, with fines for breaking the rules reaching 4% of group worldwide turnover
How to overcome this
In preparation for this change in consent standards, organizations such as Honda have been reviewing their customer databases and considering whether it’s appropriate to update their records. In accordance with this, clue yourself up on GDPR consent standards in order to ensure your data regulations comply.
It’s advised that you audit your active and lapsed users. This way you can then tentatively send out a broad email to the active users, asking that they update their contact details. Unlike Honda and Flybe, this explicitly shows your reason for making contact and refutes the possibility of being misconstrued as a marketing ploy.
What is consent and how do I get it?
Currently, the DPD defines consent as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’ The current laws also stipulate that consent must be clear, affirmative action.
Some elements of the definition of consent under the GDPR are similar to the definition under the current directive – consent must be freely given, specific and an informed indication signifying agreement. However, the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. Additionally, the GDPR stipulates that it not only needs to be easy for people to withdraw consent but clear and plain language is now strongly emphasized.
Why do I need it?
Consent is a crucial component of data protection law. It is one among various legal grounds to process personal data under the current European DPD. However, from 2018 the GDPR is raising the bar for a higher standard of consent.
Ensuring such strict regulations around consent allows new rights for people to access the information companies hold about them. Breaching these new consent laws, as evidenced with Honda and Flybe, may lead to pricey fines.
How do I get it?
Getting consent can include a positive opt-in. For example, the individual is given a genuine choice and control over how their personal data is used and takes a deliberate action to opt in. This may involve signing a statement or giving oral confirmation. Make sure the language you use is prominent and clear, and you name any third parties involved.
Allowing the individual to withdraw consent when they see fit is crucial, as is keeping a record of evidence which you regularly review and refresh if anything changes. At this stage, it is worth recognizing the value in CRO specialists and copywriters, who are able to optimise content in a way that will promote readers to opt-in to marketing updates. This is the most efficient way to sustain conversion rates whilst complying with GDPR law.
So, be proactive and get the ball rolling by assembling your project team and conducting an audit as soon as you can.
Moving forward you should endeavor to stay organized. To fully prepare you and your business, start your preparations early. This will facilitate you with a transitional period, allowing your team the appropriate amount of time to adapt to the new legislation before time’s up!