GDPR is coming. Ready or not?
On 25th May 2018, new data laws (GDPR) are coming into force across Europe and this includes the UK despite Brexit. In fact, the laws relate to how data for EU citizens is handled, so even if one of your offices is outside the EU, if you’re dealing with European data, you’ll need to comply.
If you don’t comply penalties are as much as 4% of the annual global turnover or 20 million euros, whichever is greater.
The laws are wide-reaching and will impact more than your marketing department. There are bold new changes to obtaining and using data, as well as important regulations on how to store, access and remove personal data from your systems. We strongly recommend you start getting a plan in place now, as you’re likely to see some very significant changes.
In this blog, we summarise the key changes (largely from a marketing perspective), provide a checklist of things you should consider now and provide some further reading. Hopefully, this will help you get the ball rolling. But you will want to read-up further and maybe even seek consultative advice as the laws are complicated and new information is still being drip fed.
What is personal data?
The new laws relate to personal data, which is defined as:
“Any information relating to an identified or identifiable individual (data subject).”
It’s worth highlighting that the laws relate to data that can directly or indirectly identify a person so information such as place of birth, mother’s maiden name, religion etc fall under the new laws. This shouldn’t cause too many headaches in the agency world, as it’s rare you’ll collect this data, but you may collect and record information such as client birthdays.
Cookies are treated as personal data. As are login patterns, buying patterns and behavioral patterns. So you may need to consider what this will mean when you’re looking at insights for your clients – if you’re responsible for collecting and analysing this data.
It’s not new that people should consent for their data to be used, specifically in marketing, but this has been loosely enforced at best. That’s about the change. Consent must now be given and recorded. GDPR defines consent as:
"Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
No more pre-ticked boxes, bundled T&Cs or implied consent.
Consent for marketing must be explicitly gained for that specific purpose. For example, you may need your client’s data to discuss their project but that doesn’t mean you have consent to email them your blogs. In terms of your clients, they may need a customer’s address to post them their shopping, but that doesn’t mean they can assume consent for direct mail.
Companies must keep a record of how and when consent was given – which you’re likely to want to do anyway, given the penalties for non-compliance.
Once you have the data
As before, people have the right to withdraw their consent at any time. We’re all pretty used to unsubscribe buttons, but people now have the ‘right to be forgotten’. So they can request to be removed from your database altogether, not just your mailing list. They also have the right to access and rectify their data at any time, and you must provide them with this information in a ‘portable’ format.
Data Protection and Accountability
You’re responsible for the data you hold and you must take steps to protect it – you must also be able to demonstrate these steps to Data Protection Authorities (DPAs).
Protecting data means offering protection against cybercrime and extends to training your employees on your protocol for how to handle data.
You must also know who has access to your data and how they can access it. For example, can employees access your company database from home, on a mobile and on their personal devices? If so, what happens if they leave the agency? Consider what all this will this mean for data security and put appropriate measures in place.
If you do have a breach you must notify the relevant bodies, and in some instances your customers, within 72h.
Many companies are taking the approach of having someone in a role dedicated to producing and enforcing processes around these new laws. If you’re a larger agency it seems like a sensible idea, even if it’s a consultant to get you started rather than a permanent team member. But even smaller agencies need to consider these new laws seriously and we recommend having someone internal spearhead the project, as the penalties are too stiff to risk.
GDPR may seem like a huge headache looming, but there are some positives. The people you do reach with your marketing messages are going to be actively engaged, so you can cut out the white noise. And don't forget, these laws impact your personal data too. Could we finally see an end to those nuisance phone calls and reams of endless junk mail?
This is not a checklist of everything you’ll need to do, more our thoughts on reasonable things to get you started. We recommend you start thinking about this now.
• Do all relevant people in your agency know about these new laws? If not, flag it now.
• Read up. There’s a lot of information out there, but after reading this summary, you really need to go a little deeper. There’s more heavy-going reading at the end of this blog.
• Who’s going to lead this activity within your agency and who else needs to be involved?
• Get a picture of how your company is storing personal data at the moment. Is the data protected? Are you sharing data with other agencies in your group or other third parties? Are there any obvious changes needed?
• How will you communicate these changes to the wider team? Does everyone have access to client data?
• How and when are you going to get relevant permissions from your existing database?