Is your business GDPR compliant?
It’s a question business owners and marketers have heard far too much in recent months; and they will inevitably hear a lot more in the coming months, as the crucial (super smiley face) 25 May 2018 deadline fast approaches.
So, what is GDPR and who does GDPR affect and what action should you take?
GDPR – which stands for General Data Protection Regulation – was developed by the European Parliament and aims to strengthen data protection laws for individuals within the European Union.
It replaces the UK Data Protection Act 1998 and is supposed to simplify and unify data protection laws across all countries in the EU. It does, however, have implications worldwide as companies who sell goods and services to EU countries, regardless of their geographic location, must be compliant.
Although it technically became a law on 27 April 2016, the Regulation becomes enforceable on 25 May 2018. At which point businesses need to ensure they are fully compliant, or they risk incurring hefty financial penalties.
Some people say complying with GDPR requires extensive planning and in some cases, a complete change in processes and procedures.
The reality, for most, is the change is minuscule. It should not be ignored but the changes and updates required are so small you could argue they merely constitute the best practice many organisations have been applying for some time.
Put simply, GDPR is designed to clean up some poor practices conducted by the few. It is the many though who are feeling the brunt.
It seems every type of company from Accountants, HR Advisory firms, Law Practices, IT companies, Greengrocers and Candle Stick makers… have been jumping on the band wagon of running seminar’s on the subject without truly understanding (or having read in some cases!) the Regulation and its subsequent Recitals.
It’s Regulation 2016/679. It’s 88 pages long and there are 173 Recitals…. by the way.
G.D.P.R = Got Desperate People Rich(er)
The Shocking Myths
Mainly the rumbles and rumours have surrounded the need to re-consent (re-paper) your existing database. You don’t (in 99.9999999% of cases). This has been magnified by the creative linking of actions by companies such as Wetherspoon’s (allegedly) deleting their entire email database. For the record, this was an entirely separate matter and conducted for different reasons, as has been documented.
How are businesses affected?
At the heart of GDPR is personal information, which is defined as any information that can be used to identify a person (directly or indirectly), including: name, identification number, address and IP address.
It also covers sensitive personal information, such as: genetic data, health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.
GDPR will effectively police the way companies collect, store and process information about individuals.
When holding personal information, businesses must ensure:
1) It is processed lawfully, fairly and in a transparent manner
2) That data is only processed for a specified, explicit and legitimate purpose
3) Any information held must be relevant to the specified purpose
4) All data must be accurate and up to date
5) No data is kept for longer than necessary
6) Information is handled and processed in a way that maintains security
7) There must be a ‘lawful basis’ for processing the data
But what is the bottom line with GDPR?
When it comes down to the ‘brass tacks’ GDPR is about consent. Yes one worthy change is the consent now has to be given for each channel of marketing (SMS, Email, Post, Telephone etc) and cannot be assumed to be global consent. But again, most larger businesses and some smaller ones too were operating in this way already.
Now though, all businesses must acquire consent post May 2018 that is “unambiguous” and demonstrable. Some will need to improve here….
They must also make it easy for that consent to be withdrawn. This is hardly groundbreaking, however!
Recital 171 of the GDPR, reads:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”
So if the consent you obtained pre-GDPR was obtained to a GDPR standard – i.e. the consent was “unambiguous” and demonstrable (i.e. auditable) in line with the requirements you don’t need to obtain further consent. (this basically means if you got clear and non hidden consent and it can be audited in some manner then its GDPR compliant).
Since these requirements didn’t apply pre-GDPR, for some (very small number of) businesses the consents obtained pre-GDPR won’t be valid once the GDPR comes into effect – and so they are likely to need to get new GDPR-standard consents. Or accept the risk of non-compliance and the increased fines.
But in the real world, outside of those air conditioned seminar rooms, the databases of most companies were built using unambiguous and audit-able practices.
Recital 47 of the GDPR says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
GDPR does acknowledge that direct marketing will often be a ‘legitimate interest’ (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is sometimes not required under the GDPR as long as legitimate interest is “unambiguous”.
For more on using Legitimate Interests as a lawful basis for processing information read this article
This means, the practice of purchasing or renting data from approved suppliers (read reputable and always have been. GDPR or no GDPR) for the purpose of direct marketing for use that easily falls within the realm of legitimate interest can continue. Phew!
Alas… G.D.P.R = Got Desperate People Rich(er)