General Data Protection Regulation, or GDPR, replaces existing data protection and privacy legislation. This new regulation addresses the distribution of personal details for all individuals within the European Union. Coming into effect on 25th May 2018, it puts individuals in control of their data, giving them authority to opt in, opt out, or be forgotten completely.
Mooreskills has been preparing for GDPR and this week we attended a presentation on its implications, key steps to take as well as its impact on marketing activity in particular.
Here are the key messages we took away:
Information Commissioner’s Office (ICO)
The ICO is the UK’s ‘independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.’ As a reliable and impartial source of information, the ICO is a font of knowledge when it comes to GDPR. From the ’12 steps to take now’ guide to their data self-assessment toolkit, it’s a one-stop-shop for the advice you need.
Where is all of your data kept? Why do you have it? Where did you get it from? How long did you intend to keep it for? Is the data relevant and necessary? One of the first steps in GDPR prep is an audit of all the data you hold – clients, customers, prospective customers, partners and… everyone, basically! Every individual in the EU under the legislation has a ‘right to access’ all the data you have of them and request its source. Equally, they also have the ‘right to be forgotten.’ Cleanse your data and know exactly what you hold and why.
GDPR affects everyone
All staff within an organisation, across all sectors, are affected by the new legislation. With 1 in 5 UK businesses not prepared for GDPR, it’s clear to see that everyone needs to brush up on their understanding and start to put actions in place within their own job role. From marketing and sales to data and PR, we all need to be educated and take responsibility for what GDPR means to our role.
The reason it is vital for all staff to be aware of and comply with GDPR is to avoid breaches to the legislation. For example, leaving a work mobile phone in a conference room would be a breach, as clients’ and colleagues’ details could be saved on the phone. Even leaving a work notebook in a café would be a breach. It is important for everyone to understand the importance of data protection even at this level, for example, enabling password protection on a mobile device.
Clear opt out
You may have noticed lots of emails popping into your inbox recently explaining changes to terms and conditions and privacy policies. Companies such as Facebook and Twitter are informing their users of the way GDPR is affecting their terms, and encouraging individuals to accept these changes. If they do – great! They will stay on the mailing list and will continue to receive updates from the company – until they wish to unsubscribe or opt out. However, if ignored, after 25th May that company can no longer contact the individual as it would be a breach of GDPR. It is vital to include clear opt out links/buttons in your communications to make it clear that they have the choice to be removed or to stay.
Here is a great example from The Collective Dairy:
Difference between B2B and B2C regulation
The main focus of GDPR is on the individual, the consumer, the customer. Protecting the data of individuals in the EU is at the forefront, meaning large organisations with oodles of information on thousands of individuals will be targeted the most. Even organisations outside the EU (for example, a call centre in Sydney that has your details on file) cannot contact an EU citizen after 25th May if they have not re-opted in/given consent for their details to be kept.
The difference between B2B and B2C here, is that B2B communication just needs to have a clear opt out. Communication can continue as normal (as long as it is of legitimate interest to them) until they wish to opt out in the future. B2C communication is highlighted above. There must be a double-opt-in process – so, even individuals who have signed up to a mailing list still need to reconfirm this, or decline, by 25th May, or they will not be contacted again.
We’re not going to know it all
Finally, it’s important to remember that, like any new legislation or initiative, it’s impossible to know it inside out from the very start. The key thing to remember here is that if you have plans in place and a process to follow then you are abiding by GDPR. For example, ensuring you unsubscribe those who wish to be removed from your mailing list within a reasonable time frame (30 days, for example). To keep your head in the sand and ignore the ticking clock is the worst thing you can do, but equally, you don’t need to know every small detail. Keep abreast of what is happening and remain aware as it unfolds post-25th May.