After a number of years of discussion, the European Union accepted the General Data Protection Regulation (GDPR) in April 2016 and it is now European law. GDPR was created to give individuals more options to control how their data is held by organisations. The deadline to comply with the new law is May 25th 2018. Many organisations say they are not ready, are you?
Companies have until 25 May 2018 to become compliant. After this date there are severe consequences for noncompliance. You have to make sure you are compliant with all the rules. This means you also need to have a process ready to handle requests from individuals who want to understand how their data is being treated. It’s important to note that the burden of evidence lies with you (the organisation that holds the data) rather than the individual who requests information on how their data is being treated by you. Once you receive a request from an individual your organisation has one month to comply. Certain organisations may even have to employ a Data Protection Officer (DPO). The bottom line, there is a lot to consider in getting the relevant process in place well before the deadline. It’s important to get started sooner rather than later.
Think this doesn’t apply to you because you are not a European based organisation? Not so fast! Even if you are not a European organisation you have to be compliant if you are collecting data from European residents. Much like American CAN Spam laws for us in Europe.
Now you ask, is this a good thing? Does it cause trouble for me as an Inbound Marketer? In my opinion, it is a good thing and if you stick to the inbound principles (#purist) preparing for GDPR should be a manageable process.
What are the consequences of non compliance?
The EU has set severe penalties for companies that are not compliant by May 2018. Not complying with the law can land you a fine of up to 10 million Euros or 2% of your global gross turnover. These penalties are linked to a lack of record keeping, security breach notifications or privacy impact assessment obligations. The penalties are doubled to 20 million Euros or 4 % turnover if the problem involves legal justification of data processing, lack of consent, data subject rights or cross border data transfers.
What do I need to do in order to be compliant with GDPR?
Your organisation can get in trouble over a number of issues:
- Not complying with a request from an individual to understand how their data is being held.
- Not being able to show how and when consent was obtained
- If consent hasn’t been explicitly given, it can be implied by the person's relationship with the company such as a request to receive information or a prior contractual engagement. The data that has been obtained should however be for specific, explicit and legitimate purposes. So, if I request to download a white paper on subject X, this doesn’t imply that you have my consent to contact me about subject Y.
- When a request ‘to be forgotten’ is made by an individual, all data collected has to be permanently removed and this should be confirmed to the individual who made the request.
- Contact details from and identity of the organisation (so make sure that your microsite clearly states which organisation it is linked to!).
- The purpose and lawful basis of collecting the data and plans for future use.
- Where the data will be held (country) and if it will be transferred internationally (which will be the case for most of us using cloud solutions, clearly state what software you use and where your provider stores your data).
- How long you intend to store the data.
- The right to access, rectification or removal of data as well as the right to withdraw consent at any time.
- The right to file a complaint and how to do this.
- The breach should be reported timely “without undue delay and, where feasible, not later than 72 hours after having become aware of it” if the breach is likely to “result in a risk for the rights and freedoms of individuals”.
- Where requests to access data are manifestly unfounded or excessive then businesses will be able to charge a fee for providing access.
A few definitions
Firstly, personal data is any information relating to an individual who can be identified either indirectly or directly.
This includes amongst other things:
- Personal data
- Email address
- Phone number
- Job title, place of work
- IP addresses
- Cookie data
- Cultural or social identities
- Economic data
- Genetic, physiological or mental information
Secondly, consent should be explicitly given. Likely you’ve considered implicit and explicit consent before while reviewing your form strategy. Many inbound marketers agree that a pre-ticked consent box is a strict no-go and in certain countries this is already part of the law. The EU uses the following language to explain explicit consent:
“any freely given, specific, informed and
unambiguous indication of his or her wishes by which
the data subject, either by statement or by a clear
affirmative action, signifies agreement to personal
data relating to them being processed”
GDPR applies to both personal and professional data collected. This means that implications are the same, whether you are working with B2B or B2C contacts.
Who should be involved?
There are various departments that should be involved in preparation for GDPR and not in the least your legal department or council. Below we’ve outlined examples of responsibilities that sit with specific people in your organisation. This list isn’t exhaustive and is slightly different for every organisation or company. Privacy and security is something the entire business takes care of as a whole. Having said that, it is helpful for your team to understand what their specific responsibilities (can) be.
Job titles and responsibilities:
- Overall responsibility across departments and should ensure prioritisation.
- Should review all marketing processes.
- Has to create an internal accountability framework.
- Define job descriptions and ensure recruitment of the right people in charge of data protection.
- They must be able to compliance and lawful processing.
- They are responsible for creating processes around security breaches and request for access.
- Must be able to provide the data subject with their identity and contact details as well as the purposes for collecting and information on how long the data will be stored.
- All communication should be in easily accessible and plain language.
- Data security should be at the core of all software going forward.
Steps to take now (yesterday)
Most importantly, get to work! At time of writing there is less than 11 months until GDPR comes into full effect. Speak about it with your colleagues, customers and suppliers and start including re-permissioning links in all your communication going forward.
Review all your current and upcoming campaigns, as well as automated systems and make sure that any new automation you work on going forward meets the requirements as EU citizens have a right not to be subject to decision making solely based on automated systems.
The following steps have been suggested by the UK Information Commissioner's office (ICO) in March 2016 and summarised by IBM. They provide a good checklist to use when getting ready for May 2018.
- Ensure key departments are aware that the law is changing, and anticipate the impact of GDPR.
- Document what personal data is held, where it came from and with whom it is shared.
- Review current privacy notices, and make any necessary changes.
- Review procedures to address the new rights that individuals will have.
- Plan how to handle requests within the new time frames, and provide the required information.
- Identify and document the legal basis for each type of data processing activity.
- Review how consent is sought, obtained and recorded.
- Make sure procedures are in place to detect, report and investigate data breaches.
- Designate a Data Protection Officer to take responsibility for data protection compliance.