What is GDPR? What you need to know. And do.
Red Ant Solutions are aware of new GDPR data protection laws that are coming in to fruition in 2018. Here is all of the information that you need to know to make sure that your company meet the regulations in advance of the execution date.
1. What is GDPR?
The EU General Data Protection Regulation is a Europe-wide set of data protection laws designed to harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data and control over how it’s used.
The new regulations will come into force May 25th 2018.
2. Who does it affect?
If you process people’s personal data, in the context of selling goods or services to citizens in EU countries, you MUST comply with GDPR. Compliance with the UK’s Data Protection Act (1998) is not sufficient.
3. What about Brexit?
The Government has indicated it will implement an equivalent to GDPR even after Brexit. Given that the UK has historically supported GDPR as an effective data protection standard, and that it will provide a baseline against which UK businesses can deal with their EU counterparts, it is highly likely that future UK data protection laws will be similar to GDPR.
And in any case, the UK will not be leaving the EU until 2019, which means that from May 25th 2018, it will be law in the UK.
4. What is personal data?
GDPR defines personal data as anything that can be used to directly or indirectly identify a person. Names, photos, email addresses, bank details, posts on social networking websites, medical information or IP addresses.
5. What are some of the new rules?
Firstly, opt-ins, opt-outs and consent regarding communications.
Individual consent must be ‘freely given, specific, informed, and unambiguous’, and articulated by a ‘clear affirmative action’. That means you can’t assume consent based on ‘inactivity’, and a pre-ticked box isn’t enough anymore. Prospective and existing customers must agree that their data can be used and that they can be contacted. And that individual may withdraw their consent whenever they want.
So if you currently send email campaigns, you need to make sure your audience has opted in to receive information and that you have a record of when and where that person opted in.
As well as impacting your existing mailing list, GDPR will also affect list buying. The days where you could buy and import a huge list of thousands of contacts will be over. The power lies with the recipient and unless they have consented to receive your message, you can’t send them anything.
Secondly, the right to be forgotten.
The GDPR is designed to confer more control to individuals over how their data is collected and used, which means they will be able to request to know exactly what personal data a company holds on them, without undue delay. And to exercise the right to have their data removed if they wish.
And thirdly, the legal basis for processing personal data.
Practically speaking, this means better data housekeeping on the parts of companies and less collecting data for unnecessary or frivolous reasons. So companies cannot just share and exchange their data with other companies.
6. What if I don’t comply with the new rules?
Fail to comply with the GDPR and you may be subject to extremely high penalties, possibly as high as €10-20 million or 2-4% of global annual turnover (whichever is the greater figure).
And in order to ensure companies do comply, it’s highly likely that some companies will be fined these amounts as a warning to everyone else.
7. Can I email employees of other companies for B2B marketing?
The rules are slightly less onerous for B2B marketers than they are for companies marketing to private individuals. If you’re emailing employees of corporates e.g. limited companies, LLPs, partnerships in Scotland or government departments, you do not need prior consent/opt-in from the individual as you do in the case of B2C marketing.
You can, therefore, send them a marketing email as long as you provide an easy way for them to opt out of future communications from you.
8. So what do I do?
- Appoint someone in the company to deal with data protection issues.
- Review and document the relevant policies for GDPR compliance including your privacy policy, privacy notices, data protection policy, data sharing policy and information security policy.
- Review and document how you collect consent from data subjects.
- Review your existing contracts and make any necessary amendments.
- Ensure that personal data is processed in well-structured, secure and searchable databases so that you can handle data subject requests efficiently.
And do it now.
For more information visit:
UK Information Commissioners Office
EU GDPR
07 September 2017