As of the 25th May 2018, it will be a legal requirement for any organisation that handles personal or sensitive information of an individual to abide by the General Data Protection Regulations. It will be the organisation’s and the employee's responsibility to ensure that data is stored securely, which means some new procedures will need to be put in place to ensure the data’s protection.
GDPR in the Marketing Sector
GDPR is the new hot-topic in the world of regulations. But despite how popular the topic is, there seems to be a grey area surrounding the regulations in certain business sectors - marketing being one of those in question.
In fact, data protection in marketing is quite easy to get your head around. There are a few key points that you need to understand when dealing with sensitive data in marketing: permission of data usage, accessing data, and the focus of the data.
Permission of Data Usage
Nobody likes to receive spam emails from companies, especially if they didn’t sign up to receive their “latest offers”. GDPR enforces you to receive physical permission from people before you send them marketing emails. These emails can only be sent if they opt-in to receiving them. You should not assume that the person filling in the document wants to be contacted. Opt-in tick boxes are one of the most commonly used solutions for receiving these permissions.
Simply put - people have the right to have any of their outdated or incorrect personal details removed. The implementation of GDPR gives more control to the consumer over how their data is used and collected. They should be able to access and remove this data, and they also have the right to be forgotten. From a marketing perspective, you need to offer your users/consumers/audience the ability to do this. A simple example of this is including an ‘unfollow’ box in an email campaign that they are subscribed to.
The Focus of the Data
Another topic that GDPR emphasises is data focus. GDPR requires companies to collect data that is relevant to the purpose. Essentially, they don’t want your broadband provider asking for your IQ before they give you internet access; the same applies for marketing. So all you need to do is check that you are only collecting relevant information, and not any information that is of little value to you or won’t be used.
Defining the Controller and Processor
Some people are often put off by the complexity of the GDPR word choices. When talking about data controllers, data processors and data subjects, this is what we mean:
- Data Controller – An individual or organisation who decides when and what to do with data.
- Data Processor – An individual or organisation who handles data, at the request of a Data Controller.
- Data Subject – The person the data is about.
Key Regulation Changes in GDPR
- You must abide by the regulations if you do business in the EU with EU data subjects, even if your business is not in the EU.
- Consent from parents/guardians will be required for the processing of personal data for children, which is any person under 16 years old.
- Data privacy now comprises different aspects when it comes to identifying individuals, including their economic, mental, cultural, genetic or social identity.
- The documents of consent must be laid out very clearly and simply when it comes to the way information is collected.
- Article 35 of the General Data Protection Regulations states that Data Protection Officers (DPOs) must be appointed for all public authorities. Additionally, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. However, companies whose core focus doesn’t involve data collection will be exempt from the obligation. The DPO position can be appointed to anyone with an expert knowledge of data protection details, laws and practices.
- When processing high-risk data activities, data controllers are required to conduct a privacy impact assessment to analyse and minimise the risks that could be introduced to any of their data subjects.
- The organisation’s data controllers have to report data breaches within 72 hours to their data protection authority, unless they think it is unlikely to pose a risk to the data subject.
- Data subjects now have the right to be forgotten and to alter incorrect information.
- Data processors are set a legal obligation and responsibility, which means that they can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be a crucial requirement in any future agreements. Both parties will have to record and document their data responsibilities more clearly than before, and the increased risk levels may impact service costs.
- Data portability will allow a subject to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
General Data Protection Regulation Training
Here at iHasco, we’re developing an online GDPR training course, to help you comply with the new regulations!
All organisations within the EU (and any non-EU businesses that collect data from individuals and businesses within the EU) will need to be compliant with the regulations when they come into effect on 25th May 2018, but many organisations are already implementing policies and procedures now to make the transition smoother.
So why wait? Why risk a fine? Register your interest in our course now!