Blog
Darren Bond

Disclaimer – I’m not a lawyer, so this is not legal advice. I’ve chewed through the regulations and I have gained a fairly clear idea of what the changes are, and am highlighting them below. I’m also focussing on what this means for marketers – but these regulations reach far and wide, to any personal data.

What Is The GDPR?

New legislation from the EU to help protect its citizens and their personal data. It comes into effect in 2018. These new rules protect EU citizens globally. Even companies based outside of the EU will have to abide by these rules when dealing with personal data from EU citizens.

Personal Data

Personal data essentially means any data that you can use to personally identify an individual – like a name, email address or phone number. Data that is anonymous, like website performance tracking data, is not covered.

Data Controllers & Data Processors

A Data Controller is someone that owns personal data (of any kind). For example, your customer data would be classified as personal data.

A Data Processor is someone that processes personal data that belongs to someone else. For example, your email marketing platform would be a Data Processor as they use and ‘process’ personal data, but do not own the data.

The Big Changes

Responsibility for data

Currently Data Controllers are responsible for the safe keeping on their data. However, these new rules extend more responsibility to Data Processors. This includes agencies like us, as well as any mail platforms, external CRM systems – anywhere your customer data could be ‘processed’.

Consent – Users Have To Opt-in

I know what you’re thinking – we already have to do that. True, but the rules on consent are changing. The majority of the changes are focussed on record keeping (by both the Data Controller and Processors involved).

“To be valid, consent must be knowingly and freely given, clear and specific. Organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.”

  • Freely given – users have to have taken a positive action to opt in. A pre-ticked box is not covered.
  • Specific – a user has to be able to specifically opt-in to receive communications in various forms. If you use email and telemarketing, the user will need to be able to opt-in to both, either or none of these forms of marketing separately.
  • Informed – Users now need to be explicitly reminded of the rights that these regulations provide. Privacy Policies will need to be updated to ensure this is covered.

This does apply retrospectively too – if your current consent does not abide by the new regulations, then you will need to consider how you can bring it up to date.

Buying Data And Third Party Consent

Buying or leasing data is currently a well-used practice in particular with B2B marketing, however these changes also affect third party consent.

“In most circumstances, indirect consent would not [be sufficient] – as the customer did not directly notify the sender, they notified someone else. Therefore it is best practice for an organisation to only send marketing texts and emails, or make automated calls to individuals, if it obtained consent directly from that person”

When buying data (in most cases) you’ll have to be able to show that you gained consent directly from the users – the guidelines suggest you should aim to do this within a reasonable period (one month) or at least inline with the first communication.

But surely if the user has opted in to have their data passed to third parties we don’t need to gain consent again? This is currently true, however the new regulations tighten up on how third party consent can be gained.

As an example – here’s a privacy policy that could currently be used to opt-in to pass data to a third party:

“We may use the personal information that you supply to us and work with other third party businesses to bring selected retail opportunities to you via direct mail, email and telemarketing. These businesses may include providers of direct marketing services and applications, including lookup and reference, data enhancement, suppression and validation and email marketing.”

With the new rules this would not be specific enough. It’s not clear enough as to what these business actually are, or what they do and the business types listed are likely to be meaningless to most people.

Consent Is Not Forever

Another change relevant to consent is that consent will expire over time. Although there are no defined limits, context has to be arguable for consent to remain valid. For example, lets say I subscribe to a magazine and opt-in to receive marketing communications from them. After 12 months, I don’t renew my subscription – is my initial consent (now 12 months old) still valid? Arguably no, as I’ve unsubscribed from the magazine. It’s likely that new consent would need to be gained.

Record Keeping And Reminding

As well as all these changes, more detailed records will need to be kept. Data Controllers are obliged to keep records of when and where a user gave consent and what they gave consent for. If a user asks, you have to provide it. It’s also the obligation of the Data Controller to remind opted-in users of their rights, and what data is stored on them. Records should also be kept of when users were last reminded.

Data Breaches

As well as all the above, there are some changes to how breaches need to be reported. This is a follow up to some high profile breaches in recent times, and again is designed to protect the citizens.

TalkTalk for example, had a large data breach and fulfilled their current obligations by reporting the breach to the regulator within 72 hours. However it wasn’t until months later that customers were informed. In this time, the customer’s details were available online, and fraudsters were able to take advantage of this.

The new rules impose bigger fines, but also will mean breaches have to be reported to both regulators and customers within a short window.

It’s also worth noting that if the data that’s lost is encrypted, then it’s not classified as a data breach.

In Summary

TL;DR – Big changes are coming. As marketers we need to make sure that:

    • we have specific detailed consent for all of the personal data we use
    • users are made aware of how their data is used
    • we keep detailed records on how this was all done and when the user was last reminded of their rights

The first step is likely to be auditing any data that you do own, and how it moves around the business, or between Data Processors. You’ll need to understand what data is where, what consent is associated with it, as well as who is processing it, so that you can comply with any potential requests from users or authorities.

The Information commission have all the gory details if you’d like to find out more:
https://ico.org.uk/for-organisations/guide-to-data-protection/
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

More on this subject