What is GDPR?
The EU General Data Protection Regulation (GDPR) is the biggest and most important change in data privacy regulation in around 20 years. You should already be familiar with the existing UK Data Protection Act 1998 (DPA), however, GDPR will be replacing this in a few months’ time.
When will it be enforced?
Following years of preparation, GDPR was approved by the EU Parliament in April 2016 and will be fully in place in the UK as of 25 May 2018. And no, Brexit will not affect GDPR.
At that point, any business that is non-compliant will face hefty fines. But as we all know, the famous saying goes “fail to prepare, prepare to fail”; you’ll see around you that many people are doing their best to set things in place now.
Who will it affect?
Putting it simply - everyone. Whether or not it’s part of your job, you as a consumer have rights that you need to be aware of.
What does it apply to?
GDPR’s definition of data is much more detailed than DPA, for example, your IP address can be personal data. For the most part, you can assume that any information you hold – from HR records to customer lists – that falls within DPA, will fall within GDPR. If you hold sensitive data, there are some minor changes compared to DPA that you will need to be aware of.
How does GDPR affect marketers?
It’s all about proving how you have obtained data and the consent to have obtained it for its uses. If you’re collecting data, it must be for a relevant purpose that is clearly communicated.
If you run a campaign or competition you can only use the data for that purpose. Harvesting data from this to use for a different campaign or competition will need further consent. Bad news for us all as this has been common practice for many. Existing databases will need to be reviewed to ensure the appropriate consent has been granted.
What about B2B marketing?
As so many email addresses for corporate subscribers are within the public domain, there is a big question around what it means for B2B marketing.
At the start of 2017, the European Commission published a draft of the new E-privacy Directive that will sit alongside GDPR. As it stands, there is no current requirement for opt-in consent for B2B email marketing. There should, however, still be an option to opt-out and unsubscribe from future communications.
Make sure you’re clear on the definitions
"The consent of the data subject means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
“Any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
“The natural or legal person, public authority, agency or body which alone or jointly determines the purposes and means of processing personal data.”
“The natural or legal person, public authority, agency or body which processes personal data on behalf of the controller.”