What you need to know about GDPR

It’s less than 1 year until EU General Data Protection Regulation comes into place.

5 May 2018. If that date doesn’t instantly hit you over the head, you might be among the 90 odd percent of UK companies without a clear EU GDPR plan already in place. Because the 5th May next year – should be front and centre of your thinking.

EU GDPR is the long-awaited reform of European data protection, but it’s by no means a ‘European problem’ only. It affects any global organisation that monitors or processes private data within the EU. And it affects the UK – regardless of a soft, hard or U turn Brexit.

Without doubt EU GDPR will affect the marketing of your organisation, here to help you is a brief overview of its key features

At a glance

The aim of GDPR is to harmonise European data laws and give back control of personal data to private individuals.

Although there’s been a certain amount of panic about its potential impact, at its root GDPR merely extends many of the key principles of the 1998 Data Protection Act. Most of the regulations it imposes on organisations are already in place through the DPA. So this isn’t the end of the world. It does, however, introduce regulation in some significant new ways.

You are more accountable

EU GDPR requires organisations not just to comply with data protection laws, but to proactively demonstrate proof of compliance. Personal data must be collected for a specific purpose, held no longer than is necessary, and obtained with clear, recorded consent. Consent must be “freely given, specific, informed and unambiguous.” Once obtained, personal data must be processed and stored securely.

And responsibility for the above no longer falls to the poor IT guy, who probably already has enough on his plate. Any organisation that harvests or stores private data as one of its core activities must appoint a Data Protection Officer (DPO), who reports to the C-suite level from a position of independence. The DPO role is to inform the data processor and data controller of their obligations, monitor compliance, conduct internal audits and co-operate with the relevant DPA.

Privacy matters

The days of those vaguely worded or tricksy concealed opt-outs that invited readers to check a box if they didn’t want to receive further marketing communication, are a thing of the past. Individuals must now give explicit consent for their personal data to be stored, a record must be kept of how this consent was given, and consent can be withdrawn at any time.

Whereas B2C marketers may be accustomed to obtaining opt-ins, the new requirement to get unambiguous consent represents a shake-up for many B2B marketers. What is slightly concerning is that the DMA reported that just 25% of B2B marketers see themselves as being significantly affected by the new rules.

EU GDPR also introduces several new rights that go beyond the provisions of the DPA. In short, individuals have the following rights:

  • to be informed
  • of access
  • of rectification
  • of erasure
  • to restrict processing
  • to data portability
  • to object

This is quite a significant difference when compared to the current DPA, where individuals had to make a Subject Access request to see their personal data on file, pay a £10 fee, and wait ages for a reply. Under GDPR, organisations must supply the required information within a month, in a variety of formats, and at no cost to the individual.

Breaches come at a price

If an organization has a data breach, or does not have the required policy in place. Non-compliant businesses could be hit with fines of up to 4% of their annual worldwide revenue (up to 20 million Euros) for Personal Data Breaches (PDB) or Administrative Breaches. Whereas under DPA victims of a data breach needed to show they suffered financial loss or actual harm, under GDPR the burden of proof shifts to the organisation collecting data.

Organisations must also report any data breaches within 72 hours to the Supervisory Authority or face the consequences. An organisation will still need to hold a Data Protection Compliance Review (DPCR) every two years to audit their data collection processes thoroughly.

Silver lining

Maybe I’ve painted a bit of a black picture of it all what with increased regulation, fines etc. But GDPR can also bring many positive benefits to your business.

For a start, it requires marketers to convert opt-out consent to explicit opt-in consent, email marketers in particular will find themselves with a more effective tool for reaching their audience. This is because opt-in data significantly out-performs opt-out where engagement rates are concerned.

In addition, GDPR forces your organisation to conduct a thorough audit of what data you have, where and how it’s stored, and who is responsible. It forces you to finally tackle the problem head-on, and should make you develop a strategy for a world, where, let’s be honest, data will be king.

Relevant arcticle (Aug 7th 2017): UK data protection laws to be overhauled




Proteus Bristol