The General Data Protection Regulation (GDPR) is European Union legislation that will apply from May 25, 2018, however its purpose can be summarised very simply: Its aim is to strengthen the rights of European Union (EU) citizens regarding how their personal data is used and how it’s protected. (‘Personal data’ means any information that relates to an identified or identifiable natural person).
As a marketing agency we have found that by creating customer experiences and journeys that feel personal and human, experiences founded on trust and carefully delivered, we can win the hearts and minds of our target audience.
The GPDR regulations ensure that companies respect the rights of their customers and go on to build trust. To build and maintain that trust, we need to be attuned with how, when and why our customers want to be engaged and respect their preferences for that contact.
If you’re thinking that this is just another piece of bureaucracy that you will eventually get around to sorting out – don’t – you need to act NOW.
The new legislation is a Regulation with singular application across the EU and NOT an EU Directive which would need implementation in each EU member state.
In short if you are doing business with Europeans that involves the processing of their personal data and you do not have these measures in place by 25th May 2018 then you are in breach and the fines can be significant.
The maximum fine for a single breach is €20 million or 4% of annual worldwide turnover, whichever is greater.
There are two pivotal aspects of the GDPR regulations that should motivate companies of all sizes to review and audit and update their practices.
Consent – This is the consent of the individual to process their personal data
Accountability – As a company you need to be able to demonstrate that you comply with the principles of GDPR
This is a big one and for many companies may involve a long overdue cull of their marketing list. Under the terms of the GDPR, consent is defined as
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The wording here gives a dual need for an “affirmative action” capturing the consent but it also must be “specific” in terms of how the personal data will be used.
This change will most likely represent a significant change to the way in which most companies record and respect customer preferences.
Humans by our very nature often change our minds and over time our preferences change. This issue is also addressed in the GDPR and specifies that companies must make it easy for data subjects to make any changes in preferences or to withdraw their consent altogether if desired.
Therefore, everyone who is collecting data should audit, identify and review the current points at which they are collecting data and likewise ensure that their existing lists comply.
Consent can be given in several ways
• by providing verbal consent to the company over the telephone
• by sending an email containing an affirmative opt in statement to marketing or another point of contact within the organization
• By providing verbal consent or a physical copy of contact details (such as a business card) in person such as during a networking meeting or marketing event
Every website in Europe should already be using Cookie Consent which started as an EU Directive and was officially adopted by all EU countries in May 2011.
The GDPR goes one step further by treating cookies as personal data. They are mentioned in the GDPR, in Recital 30:
“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
So therefore, under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data and requires consent.
The GDPR requires you to show how you comply with the principles by documenting the decisions you make about the processing activity.
You must include all the relevant legal information with regards to what data you are recording and how you are complying with the GDPR.
If you do not have an SSL certificate on your website (which everyone should do) then you WILL need to purchase one if you are collecting data.
The accountability provision is qualified by the so-called risk-based approach: what measures will be appropriate in each case, will depend on the nature, scope, context and purposes of the relevant processing as well as the risks of varying likelihood and severity for rights and freedoms of individuals.
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.
But this shift in approach is what is needed. It is what consumers expect. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way.
Having the right mindset towards data protection helps to future proof a business. It will put it in the right place to keep up with legislation. And if your clients adopt this mindset, and communicate it, consumers will know the companies are building privacy by design into their products and services, third party arrangements and future uses of data.