What you need to know about GDPR
The timeframes on the implementation for GDPR are really tight. It’s taken several years to get to this point (July 2017), but confusion still exists. So here’s a list of what you need to know about the GDPR and what is still up in the air.
What is GDPR
In the UK, the General Data Protection Regulation (GDPR) will replace the existing Data Protection Act 1998. It’s going to apply to all companies processing the personal data of users living in Europe. It doesn’t matter where your business is located. Given that we are firmly in a digital age, and that data has been referred to as the ‘world’s most valuable commodity’ by the Economist, it’s legislation that is long overdue.
The objective of GDPR
The objective of the GDPR is to provide greater privacy protection by regulating the use of all personal data used in business.
What does personal data mean? The definition of personal data has been extended to include all online identifiers e.g. an IP address, a cookie, location data or an advertising ID.
If you are a) in business, and b) collect data about people as part of doing business, this is going to affect you.
If you are a person that provides data with a business, that’s everything from searching Google, buying some flowers online, signing up to an email newsletter, or using a Tesco Clubcard. This is going to affect you.
What is the impact of Brexit on GDPR
It’s been confirmed by the Government, that Brexit has no impact on the GDPR whatsoever. The Secretary of State for the Department of Culture Media and Sport has confirmed GDPR will apply from 25 May 2018, that’s in the UK and across Europe. We have to be aligned with Europe on this, otherwise it’s going to be a huge mess.
We are under Guidance
It’s July 2017, and it’s GDPR is due May 2018. This means the wheels are in motion but the whole job is not complete. It’s the ‘build’ part of the project. The main players in this are the UK’s Information Commissioner’s Office (ICO), The Article 29 Working Party (A29WP) and the EU regulators. As things get agreed, ‘guidance’ is issued. That doesn’t mean it’s the end thing, but it’s where we are at.
Why do I need to do anything about GDPR?
If you don’t comply with the GDPR, the penalties are severe. The EU will be able to fine organisations up to €20m or 4% of annual turnover (whichever is greater). The EU takes this very seriously, so it’s very likely that some major players will be fined. https://www.theguardian.com/business/2017/jun/27/google-braces-for-record-breaking-1bn-fine-from-eu
Consent Consent Consent
A key element of the GDPR is consent. You will need to be able to prove that you have consent from your users to collect any ‘personal data’. It needs to be opt-in rather than opt-out, and not hidden. Most importantly, you need to be able to prove consent.
You are allowed to process personal data when it is in the legitimate interests of a business – for example your subscription is about to expire. However, this is a grey area that is likely to be tested and challenged.
Best to focus on collecting consent from your audience. It’s a great opportunity to rekindle old relationships with your audience.
Age of consent for personal data
At the moment, in the UK, companies are not allowed to process data (without permission from a parent or guardian) from children aged under 13. The age of consent for GDPR is proposed at 16, but its yet to be confirmed. If this could impact your business, I’d start planning now.
Beware of sensitive data
There will be some data you won’t be able to process. This is regarded as ‘special categories of personal data’ including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or an individual’s sex life or sexual orientation.
If this could impact your business, seek out legal opinion and start planning.
Access to the data you hold on individuals
Under GDPR, individuals will now have the right to be able to access their own personal data upon request. See this except from the EU on this subject (Data Portability)
For example, a data subject might be interested in retrieving his current playlist (or a history of listened tracks) from a music streaming service, to find out how many times he listened to specific tracks, or to check which music he wants to purchase or listen to on another platform. Similarly, he may also want to retrieve his contact list from his webmail application, for example, to build a wedding list, or get information about purchases using different loyalty cards, or to assess his or her carbon footprint.
Source: European Commission, Article 29 Working Party. April 2017. https://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 wp242_rev01, pg5.
You will need to be able to service these requests and provide this information in a clear and understandable format.
Right to be forgotten
Just as people will need to provide explicit consent. They can also demand to be ‘forgotten’, so you need to make sure you have the correct processes to handle these requests. But don’t worry about this, if someone doesn’t want to hear from you anymore, you want to know don’t you. Unsubscribe can be your friend.
Cookies
Let me assume you know nothing of the term ‘cookie’. A cookie is a text file that lives on your machine, it’s not a program. Typically they contain two pieces of information, a site name and unique user ID.
When you visit a website, a cookie for that website is added (for a new user) or activated (for an existing user). Cookies are then used to track your behaviour, so the webpage reacts to your preferences and/or history. Cookies vary in use. They might record how long you spend on each page on a site, what links you click, they can also be used to store data on what is in your ‘shopping cart’, adding items as you click.
Ever wondered how you access Facebook without having to login? That will be down to a cookie.
The use of Cookies clearly fall under the new definition of ‘personal data’. However, that is being reviewed under a piece of legislation called the ePR, also known as the Cookie Law’. It’s not clear exactly what the changes to cookies will be.
What about the impact of GDPR on B2B Marketing
A fine question, but a very difficult one to answer. So here’s the current state of play (July 2017). If you are dealing with sole traders or partnerships, then these people are regarded in the same was as B2C marketing, so you will need opt-in consent for email. However, for telephone and direct mail, you need to offer an opt-out.
When dealing with employees of companies, you can send them a marketing email/text as long as you provide an easy way to opt-out of future communications from you.
In terms of GDPR, changes will come into force, especially if you are dealing with sole traders or partnerships. However, it’s not clear which other changes could come into practice.
The Age of Data Controllers and Data Processors
If you an organisation that collects data, then you will be defined as a ‘data controller’. You will need to be clear (as part of the consent process) about how the data you collect will be used, and make this publicly available.
Companies that provide services or platforms (such as Websand) are defined as ‘data processors’. As we provide a marketing automation platform for our users to act as ‘data controllers’, to decide how the data they collect is managed, segmented and processed.
We have been building explicit consent models into Websand processes (subscriber API, wordpress plugin, and mandatory import process), and allowing our customers to understand more about the data they collect (so they can review the ‘personal data’ they hold on each customer). However, we will be updating our agreements with our customers to give clarity of everyone’s obligations under the GDPR. Especially, around how user notice is given and consent obtained.
It is possible for an organisation to be both a ‘data controller’ and a ‘data processor’. Websand certainly falls into that category.
And of The Data Protection Officer and DPIA
Every company that uses personal data will have to complete a Data Protection Impact Assessment (DPIA). ICO have issued guidance on this, but I’ve not seen a form from them yet, and I’d suggest that is the place to get one.
Depending on your business activity or size (another thing TBC), you will need to appoint a Data Protection Officer (DPO). This person should be an expert in data protection law and practices. The role of the position is to inform and advise an organisation and its employees about their obligations under the GDPR. They will be responsible to monitor compliance and provide advice on impact assessments. They will also be the first point of contact for data protection issues
More news on the specifics of the Data Protection Officer is awaited.