Until recently you will have been working under the 1998 Data Protection Act, however, come May 2018, this will all change. The European Commission has developed the General Data Protection Regulation (GDPR) to standardise data protection for all countries in the EU.
Read on to find out everything you need to know about the GDPR, what it is, what it covers and how you can prepare for the changes on the 25th May 2018.
So, What is the GDPR?
It’s a new regulation being introduced to the EU (including the UK), to replace the Data Protection Act 1998 (DPA). On top of the existing provisions of the DPA, it will govern how businesses handle and protect personal data.
In short, businesses will need to keep a record of all the personal data they hold, prove that they have proper consent to use it, show how the data is being used and how they are protecting it.
Will Your Business be Affected?
The GDPR applies to businesses if:
- Their organisation is based in the EU
- Their email service provider (ESP) is based in the EU
- They process EU resident’s personally identifiable information
What About Brexit?
Although the UK is leaving the EU, businesses are still expected to comply with the new regulations. With two years to go before we become a separate entity, the UK will still be part of the EU when the GDPR hits in 2018.
When we do split away from the EU, UK businesses will still be expected to comply if they plan to continue trading with countries within the EU.
What Does This Mean for Your Business?
Well, it essentially means you have 18 months to ensure your business is compliant with the new regulations when they come into play.
To ensure you hit the mark, we’ve highlighted everything you need to know about the GDPR. You can also download a handy checklist at the bottom of the page.
What Happens If I Don’t Comply?
When the new regulations are implicated, any business that markets to data that hasn’t given explicit consent will be fined either €20m or 4% of their global annual turnover – whichever of the two is higher.
So the cost of not following the rules far outweighs the cost of becoming compliant.
The Explicit Consent Countdown
You have 18 months to…
- Get explicit consent from implied-consent subscribers (customers and engaged prospects).
- Get explicit consent from as many non-engaged individuals as you can.
After the cut off date you will not be allowed to market to any data that has not given you explicit consent.
Things to Consider Now
The Opt-in process
The change in opt-in procedure means none of your current data can be marketed to, unless they have already opted in to receive marketing materials from you. The following actions do not count as confirmation of opting in:
- Lack of response from a subscriber
- A pre-checked box
- Any kind of implied consent
You must get consent via an action taken by the individual, e.g. ticking a marketing consent box themselves.
On top of this, you have to make sure they are not a robot. This means including a reCAPTCHA form (aka the sequence of numbers or letters that leave you asking the screen whether it’s an upper or lowercase P) or sending a follow up email asking for confirmation of consent.
You can find out more about reCAPTCHA, and download the new “Google approved” version here.
The controls you need to put in place
If you’re handling a lot of personal data you will need to appoint a Data Protection Officer (DPO). Whilst this is not a requirement for GDPR, it is made clear that you must establish strong control of the personal data and ensure it is protected. Appointing a DPO will make this process a lot easier to set up and maintain.
You also only be allowed to “retain data for as long as it’s relevant”. To ensure you get this right, you should follow these steps:
- Review how long you need to keep personal data
- Consider what you hold the information for, and decide whether, and how long, you need to retain it
- Securely delete information that is no longer needed
- Update, archive or securely delete information when it is no longer in date
You can find more information about what this means and entails on the ICO website.
The transparency the EU GDPR expects
The purpose of the new regulations is to give EU citizens control over their personal data. With this in mind, businesses are expected to have transparent personal data policies, including:
- The Right to be Forgotten
- Subject Access Right
- Right to Data Portability
How Do You Get Ready For the GDPR?
We’ve created a GDPR cheat sheet, which is free to download. It covers everything you need to know about the new regulations, and helps you with the following:
- What should your opt-in statement include?
- How can you keep track of your data compliance?
- How can you gain explicit consent from your existing and prospective customers?
- How can you improve your opt-in process for new data?
- How can you make contact with the non-opted in community?
- Steps to take before the GDPR comes into play
- A glossary of GDPR terminology
The information shared in this blog and accompanying eBook is true and complete to the best of our knowledge. All recommendations are made without guarantee on the part of the author and Sonovate LTD. The author and publisher disclaim any liability in connection with the use of this information.