You've probably heard about the upcoming General Data Protection Regulation, which will change the legislation concerning data collection and storage practices. This will replace the Data Protection Act (DPA) and come into action in May 2018. It's going to change the digital marketing landscape, puting the consumer rather than the company firmly in the driver's seat.
While awareness is growing, HubSpot reported in November 2017 that only 36% of marketers had heard of the GDPR, and a worrying amount of companies are risking non-compliance.
If your business collects data from your contacts, you could soon risk fines of up to €20m, or 4% of your turnover, if you fail to comply with new legislation - a far harsher penalty than the £500,000 threatened by the current Data Protection Act.
Once the GDPR becomes active, common marketing practices that were once acceptable will have to be scrapped.
So what can you do to prepare your business for the changes ahead?
Here are 6 things that will help your company begin the process.
1. Document all the personal data you hold
We hate to say it, but you are probably going to need a data audit. To comply with the GDPR, your company will need to record details about the personal data you currently hold. This includes where you obtained it, and who you share it with.
You'll also need to track where you have shared an individual’s information with other organisations, as you may need to correct any inaccurate personal data both within your own company and any third parties with whom you have shared data.
By doing this, you will also help your company comply with the GDPR’s accountability principle, where you must be able to comply with its data protection principles.
2. Make sure you are gaining and maintaining proper consent
According to the Information Commissioner’s Office (ICO), consent to obtaining someone’s data must be “freely given, specific, informed and unambiguous”. It must be a positive opt-in. A pre-ticked consent box won’t be enough to comply with a positive opt-in.
The gold standard of consent is to go for a “double opt-in”, where the box ticking is followed up with an email that they reply to in order to confirm their permission.
Under the new rulings, an individual can also withdraw their consent at any time, meaning that your company must introduce simple ways that a person can do so.
You can see a more detailed breakdown of the GDPR requirements for consent here.
Companies that collect and store personal data should review privacy policies to include the new requirements of the GDPR.
As a company wishing to comply with the new legislation, you should familiarise your team with the following 8 rights the the GDPR awards consumers:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling.
These are the same rights that the Data Protection Act offers, but with significant enhancements. These rights include how your company would delete personal data and the formats you would provide it to individuals in.
Number 6, the right to data portability, is new to the GDPR. It applies to data that someone has provided, processed automatically, and where the processing has been consented to, and means that individuals have the right to move, copy or transfer their personal data to another IT device or service in a usable format.
5. Update or define your data retention policy
A retention policy is a set of guidelines to follow when handling data, and will refer to how long different types of data should be stored for. This applies to data stored both on and offline, and refers specifically to data that can identify an individual.
Under the GDPR, you are also obliged to have a deletion policy in place for when an individual unsubscribes, usually removing them entirely from your database.
This means that companies should review their subscriptions management processes, allowing individuals a “right to be forgotten”.
6. Make sure you know what to do if you have a security breach
It was previously the responsibility of only some organisations to report a data breach to the Information Commissioner’s Office, but the GDPR makes it everyone’s responsibility.
However, it only applies to security breaches that are “likely to result in a risk to the rights and freedoms of individuals”.
While this might sound as though may not apply to you, this includes a data breach that could result in a “loss of confidentiality”, which is a suitably vague description that could apply to almost any data loss involved with a company’s finances or even simply the identity of individuals.
In the case of the upcoming GDPR, we recommend that you apply a “better safe than sorry” rule in all circumstances!
The future of data collection
In the past, companies have almost casually collected contact details to start marketing to. Sometimes you might buy contact lists from third parties, or you might just add a small permission clause at the bottom of a landing page, like an afterthought. The current DPA does not require an opt-in for collecting data, it encourages but does not require a company to report data breaches, and there is no obligation for a company to remove all data they have on an individual from their system if requested.
These old methods of obtaining consent will soon be dead, and when the GDPR becomes law in May 2018, it will be your company’s responsibility, not the consumer's, to make sure that you comply.
Inbound marketing can help companies comply with the GDPR, by placing a great emphasis on gaining permission from your visitors and delighting them with quality, helpful content that they will want to receive.
If you would like to learn more about how inbound marketing can help you comply with the GDPR, contact us for a conversation or an inbound marketing assessment.
This blog should not be taken as legal advice. It is a sharing of information and our opinion, in the hope of giving you a clearer understanding of what will be expected of your company under the General Data Protection Regulation (GDPR). If you want to know more, visit the Information Commissioner’s Officer website here.