From small start-up to multi-national organisation, if you handle and/or store personal data for any purpose, including e-commerce / in-store sales transactions or marketing purposes, you need to be prepared for the introduction of new regulation called the General Data Protection Regulation (GDPR), which is being introduced to EU-based businesses on the 25th May 2018.
The GDPR is a new set of rules that aim to give the people of the EU better protection and greater transparency over how organisations use their personal data. If organisations do not comply and are involved in a breach of personal data, they could be liable for a hefty fine of up to 4% of global turnover or €20million (approx. £17,461,200) – whichever is more.
As well as ensuring we have the best practices in place for our own data handling, Wired Studio is also working hard to help our clients build compliant procedures of their own. This guide will help make sure you are prepared for the introduction of the GDPR and are compliant thereafter.
What is personal data?
Under the GDPR, the definition of personal data is:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
(Ref: Article 4 GDPR)
Fundamentally, this means that existing databases that might be used as sales records for the purposes of marketing, will need to be completely disposed of (deleted without a trace) unless your business can prove that each person has complicity chosen to opt-in to receive information from your business.
While most marketers and business owners might recoil in horror after reading this, it’s actually a benefit in the long run. It means that your databases will be more targeted and more likely to buy from you – view it as the ultimate spring cleaning exercise!
Who is responsible?
Under the GDPR, there are two responsible parties for the transparency, ongoing management and security of personal data. These are known as the controller and the processor.
Many of our clients hold legacy personal data, which has been gathered over time. These clients would be known as the data controller and are responsible for determining the purposes and means of processing personal data.
The data processor is any organisation or person who processes data (for example, uses data for email marketing purposes) on behalf of the controller.
Both the data controller and data processor must be seen to be compliant and fines can be applied to both parties.
What should you do before 25th May?
This is your time to rescue as much of your legacy data before the new regulation comes into place. Up until the 25th May 2018, it is possible to gain validity of that data if you can demonstrate explicit consent.
Wired Studio is currently putting together a GDPR package for many of our clients which includes a re-engagement email before the GDPR comes in to place. This will help to save as much of your existing customer contacts as possible.
How to be compliant after 25th May
Following the introduction of the GDPR, you will need to conform to a new set of rules to be compliant. We will explain what they are and what steps you need to take next.
Consent: One method of obtaining lawful basis is through explicit consent, whereby a person opts-in. That person will need to be given notice of what they are opting into and affirmatively opt-in. You are no longer permitted to have pre-ticked boxes – this person has to actively choose to tick the boxes and can choose not to opt-in.
If they are choosing not to opt-in, they must not be punished for this action. For example, they might still be allowed to download a document without choosing to allow you to use their personal data for marketing purposes.
If they choose to opt-in, this must take a granular approach whereby they can choose to receive emails but not text or phone calls, for example.
Wired Studio is recommending that organisations choose to adopt the double opt-in strategy. This is where the person chooses to opt-in and are then sent an automated email to confirm their action.
Opt-out, delete or amend preferences: This person also needs to be given the right to amend their details at any time (you must keep a record of these changes), have the option to opt-out (unsubscribe) or ask to have their details completely deleted from your system. If someone makes a request for deletion, your organisation has to respond to the action within 30 days, deleting all email tracking history, call records, form submissions and any other forms of personal data. These options must be easily accessible through a preference centre.
Access and portability: The person can also request to gain access to the personal data you hold about them. This means that the data must be held in a format which is easily machine-readable, such as a CSV or XLS file. This is also necessary for portability requests – for example, a person can request that they have their data ported over to another data controller, even if that is a competitor. For example, if this person changes insurance companies.
How do I put these in place?
Wired Studio is offering a GDPR package that recommends a range of different procedures and software to ensure a smooth transition in preparation for 28th May 2018 and beyond to make sure each party is compliant.
If you would like to discuss your GDPR compliance with Wired Studio, please contact us here.