GDPR Principles and GDPR Overview
So, what is GDPR? Essentially, it has been introduced to further to protect an individual’s personal data and means that businesses need to collect, manage and protect data more effectively. It stands for ‘General Data Protection Regulation’.
Personal data now covers much more including; a person’s name, number, location, online identifier, economic status and attributes such as physical appearance for example. Online identifiers even include IP address, cookies and search data.
Despite the Data Protection Act (1995) being in place already, GDPR measures are more extreme despite reducing the number of principles, and these regulations will replace the DPA. GDPR is much broader in scope, gives individuals more power to control what happens to their data, and imposes much harsher penalties to those businesses that fail to comply with the rules.
We all know data protection has been all over the news the last few months and for good reason! All businesses that hold the data of EU citizens need to be compliant before the 25th May 2018. Businesses should be aware of all GDPR principles and ideally read the full regulation of 88 pages! As long as your business is GDPR compliant, the ICO (Information Commissioner’s Office) will allow the use of legacy data after May 2018.
The Facts
Through GDPR, individuals will have the right to access their data that is stored by an organisation, have this data deleted and to reduce data sharing and security breaches. We also all must give consent for an organisation to process our data.
For businesses to achieve all this, they must show transparency in how data is collected, stored, used and shared.
Consent must be gained and opt-in boxes must not be automatically filled. Records must be kept as evidence of this and it must be simple for individuals to withdraw their consent at any time. Records regarding data processing must also be kept, such as when someone consented and what the data is being used for. Customers must also be able to refuse marketing communications which is bad news for many companies.
Business can face huge fines of up to 2% of global turnover for non-compliance, security breaches and a lack of a data protection officer if it is required.
Most of the GDPR is similar to the current data protection laws, but there are some significant changes.
YOU MUST:
Spread the word: All staff, clients and/or service users must be informed of their rights.
Appoint a Data Protection Officer: The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.
Plan for data breaches: Organisations must report data breaches to their supervisory authority within 72 hours of discovery and provide them with as much detail as possible.
Conduct a Data Impact Assessment: Organisations must conduct a data protection impact assessment (DIPA) before undertaking new projects or initiatives.
Initial GDPR Compliance Checklist
1) Fully understand what is expected in terms of data protection security and your business.
2) Create a privacy agreement in easy to understand language on your website so there is full transparency about how you handle data. With opt-in and opt-out functions.
3) Determine how you will handle collecting consent.
4) Make everything accountable.
Examine the data
The DPC advised organisations to make an inventory of all the personal date they hold and examine it under the following questions:
1) WHY are you holding it?
2) HOW did you obtain it?
3) WHY was it originally gathered?
4) HOW long will you retain it?
5) HOW secure is it? Is the data encrypted?
6) DO you share it with third parties and on what basis?
Explain Your Use of Legacy Data
1) Demonstrate to individuals why you have collected their data.
2) Tell them in clear and concise language appropriate for your target audience.
3) Give individuals the chance to object to the processing of their data.
4) Record your legal grounds for processing an individual’s personal data.
5) Reconnect with people on your database using direct mail. Email is usually the most efficient way of doing this and makes it very easy for customers to update their preferences or unsubscribe straight away.
6) Demonstrate that you have clearly and specifically informed the individual what you are doing with their data and why.
7) Renew consent at least every two years after you have been reconnected.
Steps Towards an Efficient GDPR Strategy
Increase Awareness: Make sure that decision makers in your organisation are aware that the law is changing and the GDPR is to replace existing data protection laws.
Information You Hold: Organise an information audit to confirm what data you hold, where it came from and who you share it with.
Privacy Information: Review your current privacy notices and put a plan in place for making necessary changes in time for GDPR implementation.
Individual Rights: Ensure all your procedures cover the rights individuals have, including the right to be forgotten.
Request for Access: Procedures and plans need to be put in place, so your organisation can handle requests within the new timescales.
Lawful Basis for Processing Personal Data: identify the lawful basis for your processing activity, document it and update your privacy notice to explain it.
Consent: Review how you seek, record and manage consent and whether you need to make any changes.
Children: you may need to put systems in place to verify the age of individuals and to obtain parental or guardian consent for any data processing activity.
Data Breaches: Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection By Design: Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments.
Data Protection Officers: Designate someone to take responsibility for data protection in your organisation.
GDPR Training
It is important to train all members in your organisation because data protection must become embedded in the culture and is the responsibility of everyone.
Prepare for future updates. Recognise that GDPR is a work in process and amendments may be need in the future.
Does Brexit effect GDPR?
The Brexit transitional phase is likely to take up to two years. In the meantime, all UK companies must abide and adhere to EU laws and regulations. The GDPR applies to all organisations operating within the EU. It also applies to organisations outside of the EU that offer goods or services to individuals in the EU.
How Will GDPR Affect the Digital Marketing Industry?
To summarise, we have made it clear to our clients that their Privacy Policy needs to be updated on their websites for transparency, as well as contacting all the individuals that they hold data for. We also advise clients to obtain an SSL certificate to show that your site is trustworthy and encrypt to make it less susceptible to hackers. As part of our maintenance contracts we also regularly update site security and plugins, and make sure that they are hosted in a secure environment.
GDPR will change the digital marketing and advertising industry as the new regulations say that individuals need to consent to being sent marketing materials from a company. This will reduce the amount of targeted campaigns. Some experts believe that online targeting will eventually shift from the use of personal data.
As mentioned previously, email marketing needs to be considered and big brands have faced huge fines when they have send out marketing materials to everyone in their database, including those who have unsubscribed previously. In B2B marketing, email address lists are of vital importance for lead generation and firms will need to approach this much more strictly.
Even the data picked up by cookies and other tracking technologies on websites will require prior consent. This is when the data is used for non-essential purposes such as advertising and profiling. The way browsers collect data and ad-tech techniques are sure to change after this month, leaving the fate of the industry up in the air and making way for new types of online advertising.