Essential guide to the GDPR
With the new General Data Protection Regulation coming into effect in May 2018, getting data right will become a legal imperative. Businesses who ignore the legislation could face big fines – potentially up to €20 million or 4% of annual turnover – making it even more crucial for businesses to get their data processes in order now.
What is the General Data Protection Regulation?
The GDPR is a new EU regulation to replace Directive 95/46/EC, which will be directly applicable in every Member State. This means there is no need for the UK to implement any secondary legislation. The aim is to harmonize all data protection law across the EU and increase individual rights.
When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by the government, meaning it will be in force in May 2018.
In light of an uncertain ‘Brexit’ date – should we still continue with GDPR?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries, then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK government has indicated it will implement an equivalent or alternative legal mechanisms.
Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU, but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU Data Subjects. It applies to all companies processing and holding the personal data of Data Subjects residing in the European Union, regardless of the company’s location.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent ?
The conditions for consent have been strengthened, meaning companies will no longer be able to utilise long, illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services.
ICO marketing guidance
We advise you read the ICO marketing guidance. Consent is central to the rules on direct marketing. Organisations will generally need an individual’s consent before they can send marketing texts, emails or faxes, or make calls to a registered number. They will also usually need consent to pass customer details on to another organisation under the first data protection principle.
If a company cannot demonstrate that they had valid consent, they may be subject to enforcement action.
Non-response does not constitute valid consent for marketing.
Businesses must keep records that show the date on which consent was given, what was consented to and how it was obtained. Among the most effective ways to achieve this is by using the ‘double opt-in’ method, whereby a customer tick on the initial form triggers a follow-up email to them, incorporating a hyperlink that they can use to confirm all the details are correct. The returning email confirmation from the subscriber provides suitable evidence of consent under GDPR.
Example, short consent form
Purchasing B2B databases and GDPR
Marketscan – an award winning database provider – advises: at present the rules for B2B marketing will be the same under GDPR although email and SMS marketing are currently governed by the Privacy and Electronic Communications Regulations and this will stay the same until any revised E-Privacy Regulation is agreed and in force. There was some talk about making email marketing to corporates opt-in as well as consumers, which is often where confusion can occur.
- For processing sensitive personal data – in this context, nothing short of explicit consent will suffice. However, for non-sensitive data, unambiguous consent will suffice.
- Sole traders and partnerships are treated as consumers and need to explicity opt-in.
- Employees of corporates, ie. limited companies, publically limited companies, limited liability partnerships and government departments, are provided on an opt-out basis.
- Employees of corporates should be given the option to easily unsubscribe or opt-out from receiving email marketing.
- Additionally, you must ensure that you give the recipient the option to easily unsubscribe or opt-out from receiving email marketing and that the product or service you are promoting is targeted to the right audience. For example, promoting a medical conference to an Accountant would not be deemed as appropriate.
Marketing data, your next steps
- Start now. Commence planning your General Data Protection Regulation change programme now to ensure your business is compliant – make sure your processes collate valid consent for personal sensitive data (sole traders, partnerships and consumers).
- Identify which processes may cause harm. Make a “hit list” of the processes that are most likely to cause harm to an individual, or the organisation.
- Put an Information Governance Framework in place – this will demonstrate your accountability by documenting how you review and act upon data management issues.
- Identify the external threats and internal errors posed to data management processes (e.g. third parties, agencies and database providers).
- As always, we will continue to closely monitor the updates and inform our clients of any changes where they occur.
Article source links:
For information of users: This material is published for the information of clients. It provides only an overview of the legislation and regulations in force, and due to come into force, at the date of publication and is not intended to provide a comprehensive review of all changes relevant to all clients. No action should be taken without consulting the detailed legislation or seeking professional advice. Therefore no responsibility for loss occasioned by any person acting or refraining from action as a result of the material can be accepted by the authors or the company.