The rules governing how an individual’s data and online privacy is managed and protected are changing. Here is our guide covering all the basics of GDPR.
Until 25 May 2018, we have all been working under the EU’s 1995 Data Protection Directive 95/46/EC. Within this are the rules for using and storing data that every business within the EU needs to comply with. However, due to technological changes and advances, the rules have been reviewed and changed to better protect and inform people, as well as make data more transparent and accessible.
Businesses are being urged to review the new rules and their own internal processes to ensure they are compliant ahead of May.
There are parts of the new rules that will impact your internal processes and system, and parts that will impact your marketing.
What is GDPR?
It is the new, legal framework that will replace the current Data Protection Act. It brings the whole EU in line with the same data regulations.
GDPR gives individuals more control and information about how their data is being used, stored, shared and processed.
There will be fines of between 2% - 4% of annual business turnover for non-compliance and data breaches. It is important to be ready for the changes to avoid these fines.
How can you be GDPR compliant ahead of May?
If you are already working within the Data Protection Act, you will have a strong foundation in place already. However, there are still lots of changes you need to be ready for. We have outlined below some of the steps you need to take.
1. The Information You Hold
The new rules will mean you need to document what data you hold and where it came from. The data you obtain and hold must also be relevant to your business.
If you share data with any third parties and you make changes to the data, you will also need to communicate the changes with those third parties.
2. Individuals Access to Data
The new rules will give individuals total ownership of their data, even when it’s on your systems. They will have the following rights:
- Right to be Informed - This is part of the consent process. When collecting any data, you need to be clear who you are, why you are collecting the data and how it will be used
- Right to Access - You will have to be able to provide an individual with a copy of all the data you hold on them, for free, in an electronic format, within 30 days of their request. An individual just needs to make a Subject Access Request
- Right to Rectification - You need to have a process in place for keeping data up to date and report on any changes that are made
- Right to Erasure - This is their right to be forgotten and have all their records deleted from your systems
- Data Portability - You must be able to share data by request of the individual with them or another party
You will need to receive specific and explicit consent to use an individual’s data, even for putting it onto your systems. Consent needs to be explained and clear, up to date and not inferred.
Data usage consent must be clear and in plain language, not hidden within lengthy terms and conditions. It must also be very easy for a person to withdraw consent. At the point of collecting any data it must be clear who you are, the purpose of collecting the data and how the data will be used and stored.
This might mean you need scripts in place to be transparent about why you are asking for data and what you will do with it.
If you want to communicate operational, marketing/promotional or sales materials with an individual, they will have needed to have consented specifically and you will need to have a record of this.
4. Data Protection Officers
There will be internal record keeping requirements as well as it being mandatory to appoint an internal Data Protection Officer (DPO) for businesses who regularly monitor and process sensitive data. Sensitive data is information concerning an individual's personal details. It could be things like; ethnic origin, religious beliefs, trade union activities, physical or mental health, or details of criminal offences. The DPO’s role will include very specific responsibilities and their name and contact details will need providing to the local Data Protection Authority.
5. Data Breaches
If your data is breached or compromised and is likely to “result in a risk for the rights and freedoms of individuals” you will have to have a process for notifying all your contacts and the Information Commissioners Office (ICO) within 72 hours of first becoming aware of the data breach.
6. Internal Training
One of the biggest elements to get right is to get your team onboard with the GDPR changes. Everyone at all levels of your businesses need to be aware. Decision makers, team managers, customer service, account managers and anyone who speaks to individuals outside of your business, all need to know about the changes, your processes and the impact of breaches.
Once you have your business systems and processes sorted, you need to really think about the impact on your marketing efforts.
Your audience will need to have ‘opted in’ rather than ‘opting out’ to receive any communications from you. Email systems like MailChimp are already compliant with GDPR rules as long as you are using them in the right way and any data imports are from opted-in contacts.
The key is that you should only be contacting individuals who have chosen to hear from you and it should be very clear how they can withdraw their consent.
We hope this document has helped to demystify parts of GDPR. Our details are by no means exhaustive and there are many more elements, including the processing of data of anyone under 16 years of age and data sharing.
Some great sources of further information can be found using the links below:
If you would like to speak to us about recruitment, we’d be delighted to talk to you. You can call us on, 01858 898 058 or email us; firstname.lastname@example.org