GDPR - What It Is and How It May Affect You
What is GDPR?
GDPR stands for General Data Protection Regulation -the new privacy regulation being implemented across the European Union.
This policy change is the result of years of work by the EU to combat the way data is now been handled in our modern world. The overall aim is fundamentally about protecting an individual's data and respecting their privacy.
To contextualise, there was increasing concern that companies such as Facebook were using individual data for uses out with their services - and the EU wants to stop that. The EU also wants to also ensure that clear that clear and consistent guidelines are implemented throughout the EU for all businesses to abide.
When Does GDPR Take Effect?
The new legislation will be enforced from the 25 May 2018.
GDPR will automatically apply to the UK and even if your business is out with the EU, it will still apply if your business is dealing with data belonging to EU residents.
So What Has Actually Changed?
A Single Set of Rules
One set of rules will apply to all EU member-states - each member-state will launch an independent Supervisory Authority (SA) to deal with data protection.
This SA will function as a one-stop shop to supervise the activities of that business within the EU, with a European Data Protection Board coordinating these SAs. Businesses no longer have to deal with a separate authority for each EU member-state, which will make it simpler to do business within the European Union.
The Definition of Personal Data Will Be Broader
GDPR means that more forms of data are now EU regulated.
The scope of data privacy now includes other factors that could be used to identify an individual, such as their mental, genetic, social, cultural or economic identity.
Consent Will Be Needed to Process Children's Data
Parental consent will be necessary to process the data of children under the age of 16. EU member-states may lower the age requiring parental consent to 13.
Changes to The Rules For Obtaining Valid Consent
With regards to ‘sign-up', a few things have changed:
- Indication of consent must be unambiguous and involve a clear, affirmative action
- Consent should be separate from other terms and conditions. It should not be a precondition of signing up to a service
- The GDPR specifically bans pre-ticked opt-in boxes
- It requires granular consent for distinct processing operations
- The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time
- Some Countries Will Have To Appoint A Data Protection Officer
Article 35 of the GDPR states that Data Protection Officers (DPOs) are mandatory for all public authorities. A DPO must also be appointed where the core activities of the controller or processor include "regular and systematic monitoring of data subjects on a large scale" or where the entity performs large-scale processing of "special categories of personal data".
This obligation doesn't apply to organisations whose core business processes do not include data processing.
Compulsory Privacy Risk Impact Assessments
Data Controllers will now be made to conduct privacy impact assessments where breach risks are high to analyse and minimise risk to their data subjects.
New Data Breach Notification Requirements
Data Controllers will also have to report data breaches to their data protection authority unless the breach isn't likely to pose a risk to the rights and freedoms of the data subjects.
The notice must be made within 72 hours of Data Controllers becoming aware of it unless a case can be made for exceptional circumstances. In high-risk situations, the data subjects must be notified at some point. Regular reviews and audits will be necessary to determine if the supply chain is adequate.
Right to be Forgotten
The right to be forgotten is a self-explanatory concept, giving individuals the right to be removed from databases when they desire.
The GDPR does however offer protection and exemption for organisations listed as ‘media' companies such as newspapers and other news organisations. However, Google has deliberately withdrawn from being called a ‘media' company, and is therefore not protected by the regulation.
EU judges ruled that Google should be classed as a ‘data controller' as it deals with collecting and processing data. Such data controllers are required to remove data that is considered inadequate or irrelevant. The GDPR contains guidelines on when the right to be forgotten can be exercised.
Data Processor Responsibilities
Data Processors will have legal responsibilities and obligations, and can be held responsible for data breaches. Contractual agreements will have to be updated, and specifying responsibilities and liabilities between the controller and processor will be required in future agreements.
Parties will have to record their data responsibilities much more visibly, and the resulting increase of risk levels may affect service costs.
GDPR will allow users to request a copy of personal data in a format usable by them and electronically permissible to another processing system.
Privacy By Design
Privacy by design embeds privacy into the design specifications of technologies, business practices and physical infrastructures, as opposed to only taking privacy into account at the point of delivery. GDPR also requires that controllers only collect data necessary to fulfil certain purposes, and disposing of it where they can.
Firms that do business within the EU trade bloc need to start preparing for this dramatic change to European trade. However, with adequate preparation, and if the new legislation works, it may harmonise Data Protection Laws between EU member-state, bringing about the easier operation of commercial practices.
What About Businesses Not in the EU?
Businesses not in the EU will still have to comply with the regulation. This is because, even if you're not in the EU, you are still obliged to follow the legislation if you do business in the EU with EU data subjects' personal information.
Any organisation providing products or services to EU customers, or processing their data, may face legal consequences if an incident is reported.
What Will Happen in The Case of a Data Breach?
Failure to comply with the GDPR by May 2018 can lead to stiff penalties from the ICO. The first is a maximum fine of up to €10 million or 2% of your global turnover, whichever is higher. The second is a maximum fine of up to €20 million or 4% of your global turnover, whichever is higher.
Some brands have already made unfortunate mistakes resulting in huge fines for their organisations.
Let's take a quick look at what has happened.
Case Study: Honda Fined £13,000
What Did It Do?
Honda sent 289,790 emails that aimed to clarify its customers' choices for receiving marketing. The data had been acquired from numerous sources, including sign-ups made via the website and promotional events, and customers details passed on from dealers, etc.
What Went Wrong?
Honda could not provide evidence that customers had ever given consent to receive this type of email. Furthermore, its emails were not related to customer service, but instead were classed as marketing-related.
Read the ICO's penalty notice against Honda here.
Case Study: Flybe Fined £70,000
What Did It Do?
Flybe sent 3.3 million emails in August 2016 with the subject line ‘Are your details correct?' advising recipients to amend any outdated information and update any marketing preferences. The email also stated an opportunity to be entered into a prize draw on completion of their preferences update.
Flybe had categorised this campaign as ‘data cleansing, however the ICO could not justify this claim, as the email had been sent to customers who had previously opted out of receiving marketing messages, and therefore would not require any update to their records.
What Went Wrong?
The customers contacted by Flybe clearly had an opt-out status, meaning the company simply did not have the right to contact them via email. Secondly, the email contained an incentive, which by the new standards of consent, must be freely given. Having an incentive is doing quite the opposite.
Read the ICO's penalty notice against Flybe here.
But Does GDPR Affect MY Organisation?
1. Do you do business within the EU trade bloc?
2. Do you collect & process data?
3. Are you a public authority?
4. Are you involved in the regular & systematic monitoring of data subjects on a large scale?
5. Does your business ask customers to sign-up to marketing material?
6. Do you process data on children under the age of 16?
7. Does your customer data include information on their mental, genetic, social, cultural or
8. Is your business within the EU?
9. Does your business process data on EU residents?
If you answered ‘yes' to any of the above questions, your business will be impacted by the new GDPR legislation.
So, What Are My Options For Consent Forms? Do These Differ Per Channel?
Understanding best practices for consent forms is all well and good, but entry into a subscription list can come from a range of different channels and mediums - from websites (via a registration page, a quick sign-up form, pop ups and checkout pages), to social media channels and mobile apps.
Below are some best practices to help you create consent forms across the various mediums and channels. Remember to get your new subscriptions process approved by your legal team before going live.
Can You Give Me 6 Top Tips for Dealing With GDPR?
The main impact of GDPR on a business is the extent to which they will need to try and reduce the amount of personally identifiable material they keep, and ensure that no information is stored for longer than required.
However, broken down into manageable chunks, here are 6 top tips to for managing the new legislation.
Tip 1: Use Easy, Clear Language
Consent must be unambiguous. This means customers need to easily understand what they are signing up for. Avoid double negatives, and use the simplest language possible. If there is any room for doubt, it is not valid consent. Examples: "I would like to receive emails from [Brand name]" "Sign me up for email communications" "I understand and agree to the email marketing terms & conditions".
Tip 2: Customers Should Actively Opt-In
If you choose to use a checkbox, avoid having it pre-ticked. Customers should take an action to subscribe to any communications. Pre-ticked boxes, opt-out boxes or default settings should be avoided. Options need to have equal prominence.
Tip 3: Let Customers Freely Choose Content, Channel & Constancy (3Cs).
Sales emails, product launch communications and behaviour-based targeting are all different methods of marketing. Try to provide granular consent options for each marketing type, as blanketing will not provide your customers with an outstanding experience. This should also apply to frequency and channel. Customers should be provided with frequency and channel preference options as well.
Tip 4: Gain Consent For Each Of The 3Cs
Be sure to gain consent for each of the 3Cs - content, channel and constancy. This will avoid any potential miscommunication or misunderstanding - providing clarity for business and consumer alike.
Tip 5: Do Not Tie Consent To Other Agreements, Nor Use Incentives
Be sure to keep email marketing consent requests separate from other bundled terms and conditions. This especially applies at checkout stage. Consent should also not be a precondition of signing up to a service, unless it is necessary for that service. Example: "Click here to view our mailing terms and conditions".
Tip 6: Explain Clearly How Customers Can Withdraw Consent
Tell your customers they have the right to withdraw their consent at any time, and clearly detail how to do this. It should be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place, such as a preference centre for example.
Examples: "All our communications contain an unsubscribe link." "If you wish to stop receiving communications from us, you will be able to do so by following the preference centre link in our emails and website footer."