In all honesty, no one knows exactly what it means, the ICO and DMA least of all. But here’s what we do know, and how it will impact your business.
Who will be affected?
If your organisation:
– Possesses or processes data pertaining to an identifiable person
– Contacts those individuals via email, phone, SMS or post
– Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual
Then you need to start thinking seriously about how GDPR will impact on your business, and start taking immediate steps towards compliance.
What does it mean?
There is no longer any difference between “business” and “consumer” data
|What is personal data?|
The GDPR makes no distinction between B2C personal data and B2B personal data. It’s all personal and subject to the same rules. B2B businesses will need to update their processes to ensure the same levels of protection are given to anyone they wish to contact.
Opt-in replaces opt-out
The opt-out is a familiar part of marketing communication these days: “If you don’t want to hear from us again, tick this box or click this link”. Under the new EU laws, the opt-out will be no more. Instead, opt-in consent will be required for all marketing communications.
Data controllers need to be able to prove that users gave unambiguous, informed, contextual consent and knew exactly what they were agreeing to.
Consent cannot be implied by inaction, it must be the result of a positive action by individuals. Soft opt-in may apply in some circumstances, but it’s better to be safe than sorry.
Right to be forgotten
Individuals now have the right to force data controllers to delete all information they hold on them, including any details retained on a “do not contact” list. Businesses will have to work out new processes to ensure all personal information is thoroughly and permanently erased.
Data on EU citizens will be treated the same wherever in the world it’s held
The Regulations grant enforcement bodies greater powers that apply anywhere in the world, not simply in EU member countries. If you hold data on any EU citizen then you’ll need to comply.
This is a Regulation and not a Directive
Directives are legal guidelines that EU countries must achieve by their own means, whereas Regulations have binding legal force and all come into effect at the same time. In other words, the GDPR is a pan-European law that won’t be influenced by the UK Parliament.
When do I have to comply?
The GDPR was published on 25th May 2016. It gives organisations 2 years to become compliant, so the deadline is 25th May 2018.
What are the consequences if I don’t?
You will be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of your organisation’s global turnover.
It’s a fact the ICO is increasing its staff numbers in preparation for the GDPR, so don’t assume they lack the resources. They stand to profit hugely from this.
Implications of Brexit
The GDPR comes into effect in May 2018. The UK is highly unlikely to exit the EU formally by then, so you’ll still be subject to the legislation. Whilst the long term future of GDPR after the conclusion of Brexit negotiations isn’t certain, the ICO has highlighted that:
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case… we will be speaking to government to present our view that reform of the UK law remains necessary” – ICO, 1st July 2016. See the full statement here…
So in short, a legislation on very similar lines to the GDPR is likely to be enforced in the years to come. As such, preparation is essential.
Decide whether you will be impacted
If you telephone or email prospects, or possess personal data chances are you will be.
Find out more
Understand exactly what these changes will mean for you. Take a look at the library of resources Nett Sales has collected here…
Review your practices & plan ahead
Establish whether your current level of opt-in meets the new terms. Amend your consent terms, contact every person you wish to communicate with in the future to upgrade their consent level to the new standard and start storing consent forms.
Implement the plan now
Start preparing now while no one else is. Consent is going to become scarce in 18 months’ time, so being ahead of the game could be a huge advantage!
Ask for help
It’s important you get this right, so start thinking about this today and get some help with it if you need to.
See the silver lining
With all the talk of hefty fines and legal action it’s easy to see only the negatives. However, by being forced to encourage prospects to engage you’ll boost both engagement and sales, and see a marked improvement in the quality of your data.
If you are unsure where to go from here, keep an eye out for future articles from Nett Sales, call us on 01672 50 50 50 or drop an email to email@example.com
Whilst this article is meant to inform, it does not constitute legal advice. If you need details about GDPR’s legal implications for your business, please get in with your legal advisor.
This article together with the help of the following pieces, some of which we have quoted directly.