Warnings about the General Data Protection Regulation (GDPR) have been hurled around in the past year like weapons. This EU regulation comes into force in May 2018 and will undoubtedly change the data protection landscape forever. However, while the GDPR is certainly going to make an impact, for marketers, complying with its requirements is much less onerous than many people think.
What is the GDPR designed to do?
Very basically, it requires data controllers to effectively implement data-protection principles and to integrate data processing safeguards. It also sets a standard for the volume of personal data collected – restricting this to only what is necessary for the purpose of the processing. This could be even more succinctly summed up as putting in place measures to minimise data processing and only processing and storing the minimum data necessary.
Why is the GDPR different?
For the first time in data protection regulations affecting the UK, the GDPR introduces the concept of privacy by design. This is an approach to projects and planning that incorporates privacy and data protection considerations from the very start. It shifts the focus from reactive data protection to a requirement to take proactive and pre-emptive measures. It is also the first piece of law that seriously increases the penalties for not properly protecting data. In years gone by data protection fines were so low that most businesses just risked them. Now with fines topping £17 million, or 4% of turnover for the previous year that risk is no longer worth it.
The issue of consent
For those in the marketing world the changes to consent are one of the most significant parts of the GDPR. Some of the points to note for those sending out marketing communications include:
- Recording who gave consent to data processing and how it was given is key
- Making it easy for people to withdraw their consent is a must
- If you’re processing data for multiple purposes then you need to make sure you have consent for all of them
- You need more than silent consent, pre-ticked boxes or inactivity for GDPR level consent i.e. consent must be given actively as opposed to assumed
The right to be forgotten
Consumers will now have a right to access and remove data under certain circumstances. For example, data that has been unlawfully collected, data collected when there was no legitimate reason for processing that person’s information and data where consent to data processing has been withdrawn. For many businesses the tricky issue is how to work out how to keep track of what the status of data is and to ensure that any communications that create a request to be forgotten are complied with. That’s what must be tackled before May 2018.
A new attitude
The GDPR requires a pretty significant attitude shift to personal data, which for years has been viewed by many businesses as theirs to manage and handle as they choose. The reality is that the chances of compliance will be significantly improved with the right attitude:
- Start viewing data privacy as the default situation and starting point
- Get used to taking the approach of applying privacy impact assessments to processes and systems to reduce the risk of harm via information misuse
- See your business as responsible for the security of data throughout its lifecycle
- Be transparent in your data protection policies and procedures
- Approach data protection proactively and preventatively – look to actively avoid issues rather than having to make amends after the event
And finally, start developing a bit more respect for user privacy. We have become used to feeling as if we have a right to consumer data but that kind of approach could soon become very costly indeed.