GDPR: What you need to know
As we’re sure you’ve heard – by the 25th of May 2018 you will need to have ensured that all of your online databases are fully compliant with the new GDPR regulations! “But what is GDPR?!” we hear you scream, “And how can I do this alone?!”. Never fear, the SNS team are here to answer all of your questions.
Right, so what is GDPR? It’s essentially an extension of the Data Protection Act which was rolled out in 1998. Way back when this was created, fewer than 10% of British households had the internet, but since two decades have passed, the technological world has grown to new heights, and a new law is now required to reflect and address the foreseeable trends in tech, including the use and misuse of data held by online organisations.
We’re all familiar with the term ‘data breach’ which is thrown around daily on the news. It’s become clear that the security of personal data needs to be of a higher priority more than ever, with serious implications following a breach. Not only standard data such as name and address could be in danger, but payment details, purchase histories and other personally identifiable data stored online which monitors your online activity.
Both data controllers (businesses) and data processors (marketing bodies who process on behalf of a data controller) within the EU need to be aware of the new legislation, or they could be in for a heavy fine. Both parties could be fined up to €20,000,000 or 4% of annual group turnover (whichever is higher) for non-compliance. Despite the Brexit vote, this EU legislation will remain incorporated into UK law upon leaving the EU (by way of the EU Withdrawal Bill).
Under new law, data subjects (a business’s customers and potentials whose data they hold) must be able to freely request their data from the processor / controller, as they have the human right to know how, when, and for what purpose you are holding and processing their data. The data controller must be able to provide a copy of this personal data (to prove that they are holding data legitimately), free of charge, in electronic format.
The data subjects also have the right to have their data erased by the controlled in order to cease further dissemination of the data, and potentially have third parties halt processing of their data too.
The GDPR will make the accountability principle a legal obligation. This means that a processor must take the appropriate technical measures to ensure they can demonstrate that the data they hold is being processed in accordance to the law, and review and update measures where necessary.
Because of the GDPR, it will become harder for organisations to obtain valid consent prior to processing. Unambiguous consent is now a necessary precursor to processing, and individuals will now need to actively give consent for his/her data to be processed. This consent must be freely given, unambiguous, and involve a clear, affirmative action. This means no pre-checked tick boxes, no hidden subscriptions, and no purchasing data from shady sources.
All businesses must keep clear records to demonstrate consent-to-market was given freely by an individual, and these individuals have the right to withdraw their consent as easily as they gave it. In a nutshell, you must always give your subscribers, customers and potentials a clear way to unsubscribe from your online marketing strategies (on your website and when necessary via your email campaigns).
Crystal clear consent is non-negotiable when it comes to the GDPR regulations. You will even need to prove that your historic data has come from a legitimate source (with freely given consent) – so contacting your database before 25th of May might be necessary for you to obtain updated consent from your audience.
Here are some of the key factors to take into consideration when you obtain consent from your database:
• Consent should be freely given and separate from other T&Cs
• Avoid using consent as a pre-condition of signing up to a service
• Pre-ticked checkboxes may not be used under new legislation
• Organisations must keep clear records to demonstrate consent
• If personal data is to be used or processed for multiple purposes, consent must be given separately.
• Consent must be unambiguous and involve a clear, affirmative action.
• Individuals have the right to withdraw consent as easily as they give it.
If you have any questions about how the GDPR may affect your online marketing strategy, then get in touch with us via the button below.