Arriving on 25 May 2018, the General Data Protection Regulation (GDPR) has reshaped the way that all businesses manage and control data and strengthened data protection in favour of the data subject.
It replaced the 1995 Data Protection Directive which became the Data Protection Act 1998 in the UK. A criticism of the Data Protection Act is that it lacked teeth, penalties were limited and the compliance obligations less than under GDPR. This resulted in countless examples where data was misused.
Now, fines are much more severe and can be unlimited and already the ICO is beginning to clamp down and use their new powers on those that fail to comply with the current regulation.
As responsible marketers, we understand GDPR and how to make this work for our business, and as business growth experts we also understand how GDPR can be a significant step-change in the way businesses handle data and communicate with other businesses and consumers. We are here to ensure that change is a positive one and guide you on the rules you need to know, how to ensure compliance, and how to make GDPR a positive change in your business.
Since GDPR came into effect, we have continued our mission to help as many businesses as possible. That’s why we have created this extensive GDPR Toolkit for Businesses.
So, if you’re looking to expand your GDPR knowledge or looking to finally get to grips with the rules, sink your teeth into this extensive guide. We’ve packed it full of ultra-valuable information, and our downloadable version comes with some extras we guarantee you’ll find useful.
The GDPR (General Data Protection Regulation) came into force throughout the EU on 25th May 2018, replacing the Data Protection Act 1998 in the UK.
The new law focuses on the data protection rights of all EU citizens and creates new rules for those businesses that control and process their data.
GDPR now means that Europe is covered by the strictest and most comprehensive data protection rules in the world. Before GDPR, different EU national governments had an inconsistent approach to data regulation and many failed to keep up with the rapid changes in technology which revolutionised how companies could gather, store and share data online.
Specifically, GDPR has amended how businesses and the public sector can process data and strengthened the rights of individuals with a focus on consent and control.
Our GDPR Toolkit is the essential GDPR guide for your business, providing everything you need to know to ensure your business is compliant. Included in every one of our GDPR Toolkits is a handy GDPR Checklist to make sure you’ve got everything in place to get compliant.
Brexit introduces a host of uncertainties for businesses in the UK, in the remaining EU states, and in other countries that do business with the UK and the wider EU.
While there are some myths flying around about how leaving the European Union will impact the UK’s obligation to follow EU law, from a UK perspective, the impact of Brexit on GDPR is nil. In fact, companies will still have to comply, Brexit or not as the UK intends to adopt all existing European regulations as we exit the EU.
In order to continue trading with the EU, with as little disruption as possible, businesses and organisations need to show they have the equivalent measures in place for their customer’s data.
The legislation has wide-ranging application within the EU. Any business or organisation that obtains or processes data from European citizens, specifically their personal data, is subject to this legislation. The regulations still apply even if your business does not have a physical presence in the EU.
The regulators have recognised the added burden of GDPR for small businesses so some of the documentary obligations are different. If your business has more than 250 employees, you must extensively document all of your processing activities.
However, there is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document your data processing activities that:
GDPR is designed to create a consistent data protection law across all EU member states and provide clear guidelines for any company using the data of EU citizens. As a result of it being so far-reaching, supervisory bodies will exist in each EU member state to regulate GDPR compliance.
For UK businesses who process EU subject data in other international offices as well, you’ll need to identify the official supervisory authority in each of those countries, so that you can report any data breaches and receive official domestic guidance on GDPR compliance.
Below you’ll find more information about who your supervisory authority may be depending on your location:
Appointing a Data Protection Officer (DPO) is only compulsory for public authorities and companies involved in the large scale monitoring of individuals, but it is still recommended by the ICO to designate a DPO in all businesses to ensure compliance with the tougher GDPR rules.
Appointing a DPO is not as difficult as it may sound. Any trusted employee is capable of becoming a certified Data Protection Officer who can help ensure your organisation becomes GDPR compliant.
First and foremost, your DPO is the person to turn to with any queries about GDPR. With many significant changes being made to key areas such as consent to process data, having a dedicated person to monitor all areas of your business is vital.
Alongside supporting your business, DPOs are a valuable point-of-contact for both governing bodies and individuals who require information. Having a single individual responsible for this ensures a consistent approach that benefits all.
Furthermore, a DPO can coordinate your transition, performing company-wide audits to make sure data is stored and used properly.
Making GDPR a successful part of your business requires buy-in from every part of your organisation. As such, we recommend that you treat GDPR compliance like a project requiring board-level support and sponsorship.
Confirming this support will help send a message to everyone in your business that GDPR compliance is not only vital, but also a positive opportunity to be seized. GDPR may create a number of challenges that need to be overcome. However, once you put in the effort, you’ll be rewarded with a system that allows you to learn more about your customers and target your marketing to better meet their needs.
This will help improve your customer satisfaction by providing a better customer experience – something that should be stressed to every department head.
Once you have buy-in from each Head of Department, the responsibility of itemising the risks of GDPR can be delegated amongst the teams. To do so, here’s a short checklist of what each department head can do within their respective teams:
Once a department has gone through this process, the DPO can check these risks accordingly and ensure they are, in fact, GDPR compliant.
Understanding the differences in the roles of Controllers and Processors comes down to a subtle difference in who controls the data. In short:
Therefore, while the Data Controller has a greater share of the responsibilities, both roles must ensure they ultimately guarantee compliance with the rules. Regardless of whether your business fulfils the role of controller, processor or both, ensuring compliance is vital for avoiding hefty fines. As a result, understanding both your role and the responsibilities associated with it are a crucial part of preparing for GDPR.
GDPR has redefined how businesses store their data. The driving force behind this is the fact that businesses are legally required to report any data breaches, that are likely to risk a person’s rights or freedoms, to their supervisory authority.
With 46% of all UK businesses falling victim to at least one data breach or attack in the year leading up to the deadline, you have to be prepared for that eventuality by implementing storage systems that allow you to secure data and protect against breaches, and also easily find data.
This ability to find data quickly is also important because, with data subjects agreeing to varying consents, it’s vital to know whom you can contact about what (which falls under PECR). Under GDPR, protecting your data goes hand-in-hand with protecting your business.
Under GDPR, individuals have the power to make requests to data holders (i.e. companies like yours) about subject data that is being controlled and/or processed. It is the responsibility of the organisation to determine how they handle such requests.
Data Subject Access Requests are nothing new, but the GDPR has made a number of important changes that you need to be aware of:
However minimal or significant the breach may be, a process must be established within your company to detect, report and investigate any breach of personal data.
A data breach is recognised as any breach of security that can cause destruction, loss, alteration, unauthorised disclosure of, or undue access to personal data you store, transmit or process in some way. Such situations can occur accidentally or unlawfully.
Under Article 33 of GDPR, you must notify the appropriate supervisor no later than 72 hours after you’ve become aware of it. If you do not submit a notification in that time, the data controller must explain the delay.
Additionally, when you write a notification of the breach to the appropriate supervisor, you must address the following:
It’s likely that the first thing you heard about GDPR is the fines that organisations are susceptible to if they fail to comply. These have been increased significantly. In fact, had the fines issued by the ICO in 2016 been done so under GDPR, they would have been 79 times higher.
Below are the two tiers of fines, relevant to the degree to which you have violated GDPR compliance.
Tier 1 contains the lower-level of fines, which are:
Tier 2 contains the maximum fines, which are:
For a comparison: under the Data Protection Act, fines topped out at £500,000. For more information on the fines, you can read our article here about the dangers of not documenting your GDPR compliance.
All businesses deploy some form of marketing to share their products and services with leads and customers. Therefore, the impact of GDPR on marketing is something every business must sit up to and take notice of.
How much of an impact GDPR has will depend on the type of marketing your business currently uses. For those using outbound marketing, GDPR will make techniques such as cold-calling more difficult as consumers demand consent for you to process their data.
In its place, GDPR opens the door for inbound marketing, which puts your visitors and leads at the heart of your marketing by nurturing them to customers with valuable content that they can consent to.
Great marketing means creating a personal, customised experience for leads and customers alike. This is done through a number of strategies, the most popular of which is email marketing, something 75% of marketers say they use more now than they did three years ago.
Key to being successful in email marketing under GDPR means you must ensure you have defined your legal basis for processing the data subjects data. If this data subject is a consumer rather than a business, you also need consent under the Privacy and Electronic Communication Regulations (PECR) to contact them.
Under GDPR, consent is defined as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Simply put, this means that all data obtained must be freely given and that the person giving consent has to knowingly agree that you will have their information. This is markedly different to the consent rules under the Data Protection Act, where data subjects could have consented for their data to be held by failing to opt-out.
Central to the GDPR definition of consent is the new rule requiring subjects to positively opt-in, which means no more pre-ticked consent boxes on online forms. Alongside making it transparent what they are consenting to, businesses must be clear about a subject’s right to withdraw their consent at any time.
First and foremost, it is important to make clear that when we talk about what consent needs to include, we are not just referring to a single, blanket consent you can apply to every part of your business and type of marketing.
Part of creating a transparent consent system for your leads or customers is making it clear and specific exactly what they are consenting to. That means you will need to create multiple consents for each way you wish to use a subject’s data.
The ICO outlines the elements needed for a compliant consent, but we’ll take you through the checklist below:
How you approach disclosing the information is up to you, but, to be legally compliant, all conditions must be met.
Having to redesign your new system of consent may seem tough on the face of it, but the positives far outway the negatives.
Why? Well, every piece of consent you obtain will tell you a new piece of information about what your leads and customers want. This means that you can create far more targeted marketing to meet their needs. This will improve how your company can nurture leads on their journey to becoming a customer, and eventually flag-waver, for your company. And the best part?
"Your leads will want to hear from you."
Because the changes to consent now demand greater transparency, leads will know exactly what they are signing up for. So, when you have a database of contacts who have agreed to be contacted by you, you know each and everyone is waiting to engage with your marketing and your business.
GDPR tackles some of the difficulties around the child and parental consent. Under GDPR, a person is no longer a child at 16, however, the regulation allows for member states to adjust this to as low as 13. It is the responsibility of the data controller to know the age of consent for the member states they are conducting business in.
Where you are looking to gain consent from persons under that age, consent should be gained from a person with parental responsibility and businesses must make reasonable efforts to verify that the person providing the consent is actually a parental figure.
Where parental consent does not necessarily apply to the processing of data that is required to comply with other legal obligations, or when the data processing is related to preventative or counselling services offered directly to a child.
Should you be offering services directly to a child, data controllers must ensure they have a clearly written privacy notice that children of that age will understand. When offering these services, it is vital to ensure you are aware of the age of the audience you are targeting.
As a vital aspect of modern, digital marketing, companies with official privacy policy notices on their website need to ensure they are up-to-date and GDPR compliant.
The key to creating a privacy notice that will not breach the new regulation is to make sure you are transparent in explaining how the collected data is being used and confirming that it is being processed fairly and lawfully.
When gathering data directly from a person, your privacy policy must disclose:
When data is collected directly, all of the above need to be provided at the time the data is obtained.
If data is obtained through a source other than directly from the subject (third-party data providers), you need to include all of the above (excluding j and k), as well as:
Since you cannot immediately share your privacy policy when sourcing data from a third party, you must provide the information held in your policy at the following times:
You can find out more information on creating a GDPR compliant privacy policy for data not obtained directly in Article 14 of the regulations.
It is clear that to be completely GDPR compliant, you need to ensure you have a structured data storage strategy. The first step to this is performing an audit of how you currently store data. You may find that data is held across multiple locations and systems in your organisation, some data may be out of date or simply incorrect.
Once you know where your data is, centralise it and ensure it is secure and internally accessible. There is no right or wrong way of deciding how your data is stored as it is unique to the business; the key is to make sure everyone in your organisation who needs to access it can.
Auditing your data is a great opportunity to identify any subject data that does not meet the GDPR requirements. That’s right, GDPR even applies to data gathered before May 2018 when it was introduced. So, if you don’t have that transparent, active consent, you’ll need to contact the data subject to request it.
The upside of this is that it will streamline your data and ensure everyone on your contact list wants to be contacted.
The General Data Protection Regulation applies to all organisations, big and small, and with a dramatic increase in fines, your business cannot afford to be left unprotected. In fact, the average fine issued by the ICO is now £146,000 (double the previous year leading up to the 2018 deadline).
While GDPR brings a lot of change to your business or organisation, it also presents a great opportunity. The benefits of complying are threefold:
If you are one of the businesses that have struggled to apply the complex rules surrounding GDPR and are yet to implement even the correct privacy and cookie policies, surprisingly, you’re not alone – but you are behind.
Our team of digital growth experts are ready to help you find out how GDPR can be the kickstart you need to supercharge your business growth.
Finding out how we can help you can solve many of the challenges of GDPR is simple. Just book a Marketing Assessment today with a member of our team:
All businesses and companies will need to remain aware that the collection of customer data does cross over into many digital marketing activities.
By demonstrating your acknowledgement of such policies, your business will show your consumers that you care about their privacy and, in the long term, you will facilitate trust and loyalty among your customers.
Remember, this guide is for information only and we always recommend seeking legal advice to ensure your business and your customers are protected. You can also find useful information and advice on the ICO’s website.
