You need to have been living under a rock to not realise that the GDPR is coming. The hype is growing – you could be fined up to 4% of your turnover or up to £20 million.
But what does it really mean for you?
Here are nine things that you absolutely need to know:
1. If you hold any personal data, you must be registered with the ICO
This is the Information Commissioner’s Office, an independent authority that promotes information rights in the public interest. Don’t delay, visit the ico.org.uk and register.
2. B2B data isn’t exempt from the GDPR
Under the Data Protection Act B2B data was largely exempt from the rules that governed personal data.
This isn’t the case with the GDPR – an email address that can be attached to a specific person such as firstname.lastname@example.org is personal data. As such you’ll need to make sure you have a legal basis for storing and using the data.
3. You must have a legal basis for storing & using data
For many people this will be one of the following:
- Contract – you’re holding the data because you have a contract with that person – i.e. they’re a customer.
- Consent – you’re holding the data because you have received explicit consent to hold & use it – i.e. your marketing campaigns have explicitly asked for opt-in to communications.
- Legitimate Interests – you have a relationship with this person which allows you to store their data, this may be customer or membership data.
There are 3 others: 1. necessary for compliance with a legal obligation; 2. vital interests; and 3. public interests. These are less likely to be relevant unless you process things like financial records.
4. If you’re using consent as your legal basis…
It must be freely given, unambiguous & given with an affirmative action.
Pre-ticked boxes, silence, or no activity don’t constitute consent. If you’ve used any of these in the past, you need to find another legal basis for holding and using the data. Or you need to get consent from those you’re holding data for and emailing.
Remember, existing data must be GDPR compliant from the 25th May. If it doesn’t comply with the rules you can’t use it. So if you do need to get anyone on your database to consent to you holding and using their data, then you need to do it before 25th May!
You must record the fact that consent has been given on your database
Not only this, you need to log when that consent was given, and what wording was used to get that consent.
5. Data profiling is now included in the GDPR
Previously you didn’t need to inform people that you would be profiling their data e.g. using geodemographic data to segment personal records, directing offers based on previous marketing behaviour.
6. Legitimate Interests & Direct Marketing
Recital 47 outlines that processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. This should cover you with existing customers or donors, particularly if you hold their data because of a contract.
However, you shouldn’t assume that this covers your prospects – you need to think “would this person reasonably expect me to hold this data and send them communications”. If the answer is “no”, then don’t do it as it won’t be covered by Legitimate Interests.
7. Are you someone who handles data on behalf of someone else (a Data Processor)? You’re liable under the GDPR
Under the GDPR, the data processor now shares the liability for compensating for damages in the event of a breach. They will also need to prove data protection compliance.
Any Data Processor (and don’t forget that’s anyone who stores the data as well as the people who use it) needs to have a contract with the Data Controller that outlines their responsibilities and liabilities.
The Data Controller can’t use any Data Processor unless they can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
This is the main communication vehicle to tell people what data you’ll be collecting, why you’re collecting it, and what you’ll use it for. Make sure you’ve got everything covered through this, and that includes if you’re likely to profile data. If you’re using cookies on your website, you’ll need to include a policy on this too as these are considered as collecting & keeping personal data.
9. You may be OK under the GDPR, but don’t forget PECR
The Privacy & Electronic Communication Regulation layers on top of the GDPR. This stipulates that you must have consent before you market to someone via email, mobile or text, unless they fall under the exception rules which are:
- you obtained an individual’s personal data in the course of a sale or negotiations for a sale of a product or service;
- the communications you send are only marketing similar products or services; and
- the individual was provided with a simple opportunity to refuse marketing when their details were collected, and if they didn’t opt out at this point, they are given a simple way to do so in all future marketing communications
We hope this has helped solve some of your questions on what the GDPR means for you.
On 24th April we ran an interactive workshop designed to demystify the GDPR, and arm organisations with the tools they need to prepare for it.
If you’re still feeling unsure about the GDPR and how it effects your organisation, get in touch and we’ll arrange a call to help you become data compliant by May 25th.