General Data Protection Regulation – Is your Company getting in shape?VTurner
On Friday 30th September I had the pleasure of attending a General Data Protection Regulation (GDPR) Event in London, hosted by the Direct Marketing Association. The purpose of the event was to clear up all the uncertainty within the direct marketing and data supply community about the future GDPR laws. Attendees ranged from Marketing Managers, Database Managers and CRM Managers to IT, Legal and Compliance representatives.
You might think that companies would be rushing to prepare for the new GDPR, following confirmation that Brexit will not be complete before it is due to be implemented in May 2018. Sadly it seems you would be mistaken, as according to a new study from Dell, organisations are not even close to being prepared, or worse still are not even fully aware of what GDPR is and the impact it will have on organisations after it is implemented.
The study shows that more than 80% of IT and business professionals know virtually nothing about GDPR, with fewer than a third being ready for GDPR today and just 3% actually having a plan of action.
At Refreshed Direct we are always trying to get ahead of the pack and wanted to share with you our understanding of what GDPR really means for organisations.
So what is General Data Protection Regulation?
GDPR will be crucial to all laws covering the capture, control, consent and use of personal information (wherein personal information can be defined as any information that is held on a person that can be used to determine who the named individual is, e.g. Name, address or email etc). Whilst built on the core principles already established by the 1998 Data Protection Act, GDRP will also introduce new rights to consumers and individuals.
Having clearer laws with safeguards in place is more important than ever, given the growing digital economy, so GDRP was drawn up.
Although Brexit may have some impact on how fully GDPR is implemented in the UK, it is certain that the companies within the UK will need to remain compliant with the GDPR regulations in order to continue trading into the EU (in whatever form that ends up being).
With so many businesses and services operating across borders, international consistency around data protection laws and rights is equally crucial both to businesses and consumers.
What are the core rights to individuals within the new GDPR legislation?
- The right to be informed
- The right of access
- The right to have data rectified
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
How long does individual consent last for?
Consent is when the organisation has written or verbal consent to hold consumer, prospect, supplier or an individual’s personal data for up to twelve months. Legitimate interest is whereby the organisation can justify the need to hold personal data in order for transactions to occur and whereby there is a mutual benefit for both parties. An example of legitimate interest would be holding bank details in order to pay suppliers or holding personnel files for HR reasons.
How does this affect Consumer Profiling for Marketing purposes?
There were growing concerns at the event surrounding Consumer Data Profiling and consent to use an individual’s personal data for profiling.
Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling.
Profiling (or automated decision making) will be legal where individuals have explicitly consented to it, or if profiling is necessary under a contract between an organisation and an individual, or if profiling is authorised by EU or Member State law.
What if an organisation is found to be non-compliant?
Non-compliance could lead to fines for a business of up to 20 million EUROs, or 4% of annual global turnover, whichever is higher. Though obviously these types of figure would only apply to extremely large organisations, fines would be directly proportional to an organisation’s size and profits.
So what can businesses be doing right now in preparation for May 2018?
The impact of GDPR will be wide and profound and will affect organisations of all sizes. So it would be prudent to consider appointing a ‘Data Privacy Officer’ to help co-ordinate controls and ensure compliance, or alternatively appoint an out-sourced data protection advisor who can help you with your GDPR compliance journey and help get you up to speed and on the right track.
GDPR will affect many parts of your business so as well as Marketing, Legal and HR, it’s important to involve IT or Systems Architecture departments who can assist with the implementation of cross-systems and cross-platform data integrity, as well as archiving and deletion processes.
To illustrate the scale and enormity of GDPR, John Lewis have recently appointed a cross-departmental team dedicated solely to preparing the business for GDPR. This cross-functional team comprises Marketers, Data Privacy officers, Legal and IT Security Architects.
Organisations should be introducing an annual preference call to individuals to bring their opt-in consent and data validity and accuracy up to date. Not only should systems be frequently archived of expired personal data, data should also be permanently deleted across all platforms.
From a practical perspective consumer transparency and accuracy will be key. Systems and processes should be designed upfront with consent and consumer privacy in mind. As long as an individual is clearly informed upfront as to why and for how long their personal data will be held within your company, and as long as you have the systems and processes in place to prove this, then your organisation will be well on its way to becoming GDPR compliant.
Refreshed Direct (trading site of Space and Time) will post further updates on GDPR in the future.
Acting Head of Data Solutions