EU General Data Protection Regulation (GDPR) Changes – Are You Ready?

With EU regulations changing regarding data protection, are you ready for the impact this could bring to your marketing strategy?

First, let’s cover off the basics:

GDPR explained – What is it?

GDPR was introduced to keep up with changes in technology and the way we store and use data collected about us. The aim is to help protect the data of EU citizens.

Who does it affect?

GDPR affects anyone who stores or processes data about EU citizens. The Information Commissioner’s Office (ICO) breaks this down into two categories:

• Controllers
• Processors

My business is not in the EU, so this doesn’t affect me

Technically, this isn’t true. It also applies to organisations outside the EU that offer goods or services to individuals in the EU as well.

What data does this affect?

GDPR all relates to personal and sensitive data:

Personal data

This is anything that is directly or indirectly related to a person. Data like names, addresses and any identification numbers.

Sensitive data

This covers things like genetic and biometric data.

Regulation Changes – when is the GDPR deadline?

The enforcement date is the 25th May 2018, but was actually approved way back on the 14th April 2016.

GDPR and Brexit

Since Brexit negotiations are still on going, there is still no word on what will happen to UK businesses that store/process customers data in the UK. However, if you deal with EU citizens in any sense, you will still need to comply with GDPR.

For best practice, it’s worth following their guidelines even if you don’t need to comply.

Digging Deeper

So now we’ve got the essential questions covered, let’s dig a little deeper into what exactly is changing, and what you’ll need to do to remain compliant.

Consent

Has this individual actually given you permission to process their data, for example did they actually sign up for your offer email? And do you have a detailed record of this?

Consent has been changed to make it more clear, so no more long complicated terms and conditions that no one understands opting you into special offer emails for example. Consent now needs to be clear and in plain English. It needs to be as easy to withdraw the consent as it is to give it, for example, having unsubscribe links on emails or a dashboard for marketing preferences.

So how can you go about obtaining consent?

• Don’t have pre-ticked options opting customers in
• Use positive opt ins over negative ones e.g. “tick the box if you want to receive emails”
• Specify why you want the data, what you are going to do with it and any third party companies involved.
• Try to break down the consent if you have different processes, for example if you have an email newsletter and offer email, then treat them separately if possible.
• Record how and when you have received any consent, and what you told them at the time. Then you have records of what the person consented to at the time. Thus making it easier to review if anything changes.

An example of an email subscription form can be seen below

Overall, giving customers the choice and control over how their data is processed is not only best practice (and the law), it will also help build trust and reputation. Making it hard to unsubscribe or spamming people is going to give your company/brand a negative reputation.

I don’t have a record of if they opted in or not

So just email them and ask for their email preference, right? Wrong, don’t do this, you need their consent to email them. Honda did this and it didn’t end well for them, read the full story.

So what can you do with this data? You could do what Wetherspoons reportedly did in 2017, and deleted its nearly 700,000 strong mailing list. It may sound drastic, but if you don’t need it or can’t use the personal data, then why not get rid of it? Deleting legacy data or data that you can’t use also ensures that it can’t be breached.

If you are just sending out (non personalised) promotions/offers then if you are not already doing so, why not use social media instead?

Asking for consent again?

Recently I have received an email to re-opt into receiving their emails, but why? I think the biggest issue that companies will have is that they will have a record of initial consent however they will not have enough data to prove GDPR compliant consent. If you have enough evidence to prove GDPR compliant consent then you won’t need to ask for consent again.

*I’m not a Manchester United fan.

Right to be informed

Individuals have the right to know how their personal data is being used, this is typically covered in a privacy policy.

Right to access

If you store personal data, that individual has the right to access the data you have on them and what you do with that data. With a few exceptions you will need to provide this data free of charge within a month. There are certain circumstances where you can refuse or charge for this data, for example if the request was excessive, but you will still need to inform them within a month.

Right to rectification

Individuals have the right to change their personal data if it’s incomplete or inaccurate.

Right to be forgotten

Individuals can request that you remove their personal data if they withdraw content, if it was unlawfully used, or if there is no continued reason why is should be used.

Right to restrict processing

Individuals can request that you do not use or process their personal data, but this still enables you to store it.

Data Breaches

Breach in data comes in many forms and is not just limited to being hacked. Other methods include computers (or any other storage device) getting lost or stolen, and even sending emails with personal data to the wrong recipient.

Data breaches are defined as the following:

• When any personal data is lost, destroyed, corrupted or disclosed.
• When personal data is accessed by an unauthorised person or is passed onto an unauthorised person.

When storing personal/sensitive data, you will need some plans/procedures in place to detect and deal with any breach. The plan should also include when, who to contact and the timescales related to the breach.

This is important, as depending on the severity of the breach, you may have to contact ICO and the relevant supervisory authority within 72 hours and if it’s high risk (i.e. could result in fraud), followed by the the individual(s).

All breaches need to be documented, even if the ICO, the relevant supervisory authority or the individual have not been notified.

GDPR fines

There is a tiered approach to fines, the maximum fines can be up to 4% of annual global turnover for breaching GDPR, or €20 Million, whichever is higher. This is for the more serious offences, where lesser offences could be 2% of the annual global turnover. This could be substantially more than the £500,000 maximum that the ICO could previously hand out.

This said, there is no record of the maximum fine being handed out, Keurboom Communications Limited got hit with a £400,000 fine, as did TalkTalk and Carphone Warehouse too.

GDPR Rule Breakers

There have been some large companies that have breached rules in relation to data protection. Here are a few example that the ICO have taken action over.

Back in March 2017 Honda was fine £13,000 for sending out 289,790 emails to customers, asking customers to clarify they’re receiving marketing preferences. Honda’s mistake was simply that they did not have opt in or opt out information stored against the email addresses, so they couldn’t prove they had consent to send the emails.

In June 2017, Morrisons supermarket was fined £10,500 for sending out 130,671 emails to customers who had opted out of receiving direct marketing about their loyalty scheme.

Only a month later, moneysupermarket.com was fined £80,000 for sending 6,788,496 unsolicited emails.

Other big companies that have been fined are Flybe, Vanquis bank and SSE Energy.

Checklists

The ICO has a checklist to make sure you are ready for GDPR. Be sure to check it out and avoid fines going forward.