This post is intended to act as a guide generally on GDPR and specifically on how marketing activity will be affected by the regulations. We’ve gathered data from many sources including guidance produced by the Information Commissioner’s Office and the GDPR itself. But please do note that this document is not legal advice and cannot offer comprehensive guidance. Ultimately, what you do to meet your obligations under GDPR is up to you, and entirely your own responsibility!
2. What is changing?
On 25th May 2018, GDPR comes into force and this will mean changes to the way your business handles personal data. GDPR stands for ‘General Data Protection Regulation’ and is Europe’s new framework for data protection laws. It represents four years of work by the EU to bring data protection legislation into line with the new, previously unforeseen ways that data is now used. Currently, the UK relies on the Data Protection Act of 1998, but this will be superseded by the new legislation. GDPR introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. GDPR will sit alongside the existing UK PECR (Privacy and Electronic Communications Regulations) which give specific rules on sending emails and text messages, conducting telemarketing and using cookies.
3. What is ‘personal data’?
GDPR lays out rules for the collection, use, and storage of ‘personal data’. ‘Personal data’ means any information relating to an individual by which they could be identified, and so includes names, postal addresses, phone numbers, email addresses, medical records, bank details, but also IP addresses (the string of numbers your computer uses to connect to the internet). And it’s not just data held electronically – paper records are also included.
4. I only deal with other businesses – does GDPR affect me?
GDPR applies to personal data, which means anything that may identify an individual: corporate email addresses, IP addresses or postal addresses stored digitally. A company employee is still an individual when at work, and therefore GDPR still applies.
Also bear in mind that sole traders and partnerships are considered to be consumers, and therefore B2C rather than B2B for the purposes of GDPR.
5. A summary of what GDPR requires
- Gives individuals eight specific rights regarding their personal data.
- Lays out principles for protecting user data and reporting data breaches.
- Requires that companies can demonstrate that they comply.
In summary, you must abide by the individual rights, ensure that you are properly securing personal data and be able to document how you are doing so.
- Individuals have the legal right to access, correct, delete or transfer personal information held about them on any company system, whether electronic or paper.
- Individuals must provide explicit consent for their personal data to be held and must consent to the particular ways in which it will be used.
- In the case of a data breach, it must be reported to the Information Commissioner’s Office (ICO) within 72 hours, and affected individuals must also be notified.
6. In more detail
1) New consent requirements
Consent is one of the fundamental aspects of the GDPR, and businesses must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. Consent which was gained in the past is only valid if it meets GDPR’s more stringent tests.
Consent must be obtained from individuals for every use of their personal data, (unless you can rely on a separate legal basis – see later). Note that:
- Consent must be specific to distinct purposes.
- Pre-ticked boxes do not constitute consent: individuals must explicitly opt-in to the storage and use of their personal data.
- Separate consent must be obtained for different processing activities, so you must be clear about how the data will be used when you obtain consent.
- Individuals should be easily able to withdraw consent at ant time.
2) Asking for access to data
Individuals have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Individuals can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
3) The ‘right to be forgotten’
Individuals have the right to insist that information held on them is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’. They can also demand that their data is deleted if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
4) The right to move data elsewhere
Businesses must store, or allow export of, people’s information in commonly used formats (like CSV files), so that they can move a person’s data to another organisation if the person requests it. This must be done free of charge and within one month.
5) What if we suffer a data breach?
A data breach that risks people’s rights and freedoms must be reported within 72 hours. In the UK, a breach should be reported to the Information Commissioner’s Office (ICO). Your initial contact with the ICO should outline the nature of the affected data, roughly how many people are impacted, what the consequences could mean for them, and what you’ve already done or plan to do in response. You should also tell the individuals affected by the data breach.
7. Look on the bright side
It’s easy to see the GDPR as a negative, but why not view it as a positive way to provide a better experience for your customers?
It’s a great opportunity to remind your customers what you do and why you matter. By getting people to positively opt in to marketing, you can be sure that they really want to hear from you.
See it as a chance to tell people what you are planning to do with their data and why; for example: to let them know about carefully chosen special offers, or to remind them of important matters like payments due.
Also bear in mind that recent events in the digital world have lead to increased concerns about data security amongst the general public. GDPR offers the chance to renew public confidence in technology and create a more trusting relationship between you and your customers.
8. What should I do?
1) Start with a full data audit
Look at what data you hold and why. Document all the methods both online and offline in which you collect personal data (for example: website, telephone, email, in person, via third parties).
Identify all systems in your organisation which store data (for example: CRM software, accounting packages, Excel spreadsheets, website, online shop, email lists like Mailchimp, contact address books, filing cabinets, email accounts).
Document what is stored, how it was collected, what consent was given, and how it is used. For all historic data, you need to be able to be able to prove how you collected it, what permissions you have and what it is being used for.
We found this information from the DMA on completing a data audit really helpful.
2) Prove or gain consent… or use a different legal basis
You should only be storing and using data if you have consent (or some other legal basis) for that use. Consent given in the past is only considered valid if it meets the new stricter conditions of GDPR.
However, consent is not the only legal basis for processing personal data under GDPR. There are other legal reasons for holding and using data, including ‘performance of a contract’, ‘legal obligation’ and ‘legitimate interest’.
This means you do not have to rely on consent as a basis for holding and using personal information. If you can demonstrate an existing client relationship, and you are communicating about similar goods and services, this meets the requirements of GDPR under the legal basis of ‘legitimate interest.’
GDPR explains where a company may have a ‘legitimate interest’ in processing data. The two of relevance from a marketing perspective are:
(a) Direct marketing: GDPR states ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
(b) Relevant and appropriate relationship: for example where the individual is already a customer.
A business can be considered to have a ‘legitimate interest’ in an existing customer, potentially meaning that consent need not be sought again. However, the customer must be given the option to opt out of future communications.
Of course, going forward, explicit consent should always be sought, but it may not be straightforward to prove consent for people on an existing mailing list or database.
In summary, it is preferable to rely on consent as a basis for processing information, but there are other legal bases to do so.
3) Put processes in place
Make sure you have processes in place for data subject requests. If an individual wants access to their personal data, you must be able to provide it to them, free of charge and within one month. You must also make sure you have processes for the transfer of an individual’s information to another organisation, should they request it, or to facilitate their ‘right to be forgotten’.
9. What is Assembly Marketing doing about GDPR?
Almost everything we do at Assembly Marketing will be affected in some way by GDPR. It goes without saying that all new websites and marketing campaigns will be GDPR compliant, but what about our existing customers?
Rest assured, it’s our priority to make sure that you meet your obligations under GDPR. If it falls within our scope, we will advise you on the best course of action and take steps to ensure you are compliant. This includes websites, e-commerce stores, and Mailchimp email lists.
All customers will receive a personalised checklist which will cover the actions Assembly Marketing is taking to help you comply with GDPR. It will include the following:
1) Email marketing
- Cleaning existing lists
- Gaining consent from subscribers
- GDPR-friendly sign up forms
- Security of hosting
- Consent to cookies
- GDPR-friendly enquiry forms
- SSL certificates
- Advice for e-commerce sites
- Purchase of third party data
- Direct mail
10. What next?
If you’re a customer, we’ll be in touch with specific information on what we’re doing for you personally, whether you use Assembly Marketing for web design, email marketing or direct mail. We’ll send you a checklist covering the actions Assembly Marketing is taking to help you comply with GDPR, along with any recommended further actions and associated costs. For now, we suggest you look into making sure the rest of your business is GDPR compliant. This checklist from the ICO is a great place to start.