What is GDPR and how will it affect my company?
Big data has completely revolutionised the way companies do business. Thanks to rapid IT developments, companies now have unprecedented access to information about their clients, customers, marketing leads and everything in between.
It’s fantastic for business owners attempting to improve their services and strengthen sales – which is why a staggering 85% of companies are trying to become more data-driven. But with great power comes great responsibility.
Customers across the globe have become increasingly wary about the way in which companies are using and sharing their personal data. That’s why the European Union has stepped in with sweeping legislature designed to empower consumers and punish companies for infringing on people’s privacy. It’s called GDPR, and if you handle any data whatsoever, it will affect the way you do business.
To help you understand those new rules and how it will change the way your company operates, we’ve set up a brief guide.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new legal framework set up by the EU in April 2016. That means its rules will apply to all European states – including the United Kingdom. The UK’s planned departure from the EU may or may not impact its domestic implementation. But for now, the UK Government has confirmed that all UK companies will need to comply with GDPR – which is a compilation of strict new laws on privacy and data protection.
GDPR will come into effect on 25 May 2018, and builds on the core rules on privacy notices, personal data, individual rights and jurisdiction that are outlined in the existing UK Data Protection Act 1998 (DPA). It essentially spells out the way “controllers” and “processors” use and store information. If you’d like to learn more about controllers and processors, the ICO has an all-encompassing guide spelling out exactly who they are and how to tell the difference.
The most important thing about GDPR is the penalty your company may be liable to pay if you’re found to be uncompliant. Under the new rules, the Information Commissioner’s Office (ICO) can impose fines of up to €20 million or 4% of your company’s worldwide turnover – whichever is more.
What’s different about GDPR?
GDPR is a lot like the DPA, but it imposes tougher rules on companies in several key data and privacy areas.
First and foremost, GDPR penalises companies for being unclear with customers when signing up for marketing communications. Individuals must now explicitly opt-in and give consent for any company newsletters, marketing calls or other messages.
If your business uses online forms, you can no longer use pre-ticked boxes. What’s more, your company must also clearly communicate their intention to use data and approach individuals via multiple platforms. That means if you’re going to contact a customer via email and SMS, you need to spell that out on your enquiry form so that they can pick and choose how you’ll be using their data at a granular level.
The trickiest issue for companies in terms of GDPR compliance will be grandfathering consent. From May 2018 onwards, companies will only be able to process and keep data about staff and customers that was collected under the previously outlined rules about giving explicit consent. The EU has said companies will be allowed “grandfather”, or to keep using data collected before May 2018, as long as it was gathered in a way that was already GDPR-compliant – but examples of pre-existing compliance are rare.
This means it could be illegal to store and use a huge proportion of your customer data once GDPR comes in effect.
Another crucial aspect of GDPR is that it stipulates large businesses and public authorities need to appoint a designated Data Protection Officer to be responsible for all of this data. You’re allowed to appoint a single data protection officer to act for an entire group of companies if you need to. It’s worth bearing in mind this won’t apply to small companies unless they’re engaging in large-scale systematic monitoring or handling of sensitive personal data.
GDPR also expands child protections in terms of data. From May onwards, all potential enquirers under the age of 16 must provide companies with explicit permission from a parent before they’re allowed to process user details.
Finally, GDPR is safeguarded against national borders by its clauses on international data use. Even if your company is based outside the UK, it must comply with all GDPR rules if it’s using or monitoring any data relating to an EU citizen. Likewise, your company must obtain explicit permission from an individual to transfer or use their personal data anywhere outside the EU.
Consent and privacy
If your company needs to be GDPR-compliant, valid consent is going to be the first major hurdle. The new regulations will make it a lot harder to obtain valid consent and process personal data.
For reference, consent is defined as a freely given, specific, informed and unambiguous indication of the individual’s wishes. If you want to use a customer’s information to process a sale or keep in touch with marketing emails, that’s what you need to obtain. More importantly, you’ve also got to keep records so your company can demonstrate that consent has been given by the individual.
All requests for consent must now comply with the following rules:
- Plain language: A request for consent must be in an intelligible and accessible form in clear and plain language, and in accordance with the Directive on unfair terms in consumer contracts.
- Separate: When a request for consent is part of a written form, it must be clearly distinguishable.
- Affirmative action: The consent must consist of a clear affirmative action. The use of “pre-ticked boxes” is no longer permitted.
- Consent to all purposes: If you’re going to use an individual’s data for multiple purposes, consent must be given for all of those purposes. You can no longer ‘bundle’ consent. Policy wording is ambiguous, but good practice indicates compliance will equate to a clear explanation that individuals will more than likely be approached via multiple marketing platforms in order to supplement their relationship with a company.
- No detriment: Consent won’t be valid if the consumer doesn’t have a genuine free choice or are being punished by refusing or withdrawing consent.
- No power imbalance: Consent might not be valid if there is a clear imbalance of power between the individual and the controller.
- Not tied to contract: Consent isn’t valid if it’s a condition of performance as part of a contract.
- Withdrawable: The individual needs to be able to withdraw consent at any time, and must be told of that right prior to giving consent. In short: it should be as easy to withdraw consent as it is to give it.
If you’d like more information about what constitutes consent, the ICO set up a comprehensive guide as part of a wider consultation project.
As previously outlined, consent given under the Data Protection Directive will continue to be valid under GDPR – but only if it meets incoming GDPR requirements. This means your company can no longer keep or use personal data that was provided to you without having met all GDPR requirements on consent.
This is going to be a major issue for UK companies. Theoretically, this means each company should be going back out to every single individual in order to obtain fresh consent. It’s fair to assume a large number of individuals will opt-out – potentially impacting your company’s reach.
Unfortunately, there’s no way around it. If you’d like to keep using customer data without risking non-compliance, you’ll need to reobtain consent. The easiest way to do this will probably be to issue a message individuals requesting they click through to a re-subscribe link using GDPR-compliant wording as per new regulations on consent.
GDPR and children
New GDPR standards indicate that someone under the age of 16 cannot actually give a company their consent in terms of data submission. Instead, companies must obtain consent from a person holding ‘parental responsibility’ for that individual. That might sound scary to companies offering child-friendly goods or services, but the truth is the new GDPR rules on child protection aren’t very different from existing DPA regulations.
Under current law, companies must display a plain-English notice informing children they’re required to obtain parental or guardian consent prior to sharing personal information. This message must be displayed at the point of request – and in order to verify the child has actually requested consent, a follow-up communication needs to be sent to the parent or guardian stating that the child’s permission has been received. In that message, you must also offer the parent or guardian another opportunity to opt-out.
The EU has given individual members states the power to lower the age of consent to 13 in terms of domestic use – although the ICO has yet to provide guidance on whether the age of consent will be lowered in the UK. For now, the best advice legal experts seem to be able to offer is that it’s better to be safe than sorry.
One of the most crucial aspects of GDPR is that it transcends the EU’s borders. Your company can be registered anywhere on the globe – but if you’re handling data that belongs to an individual within the EU, you will need to comply with all relevant aspects of the legislature.
That means non-EU companies with customers based in the EU must adhere to GDPR. Likewise, UK and EU companies are obligated to inform individuals at the point of request if they plan to send or process their data outside the EU. Best practice indicates any foreign third parties should be explicitly named.
What does that mean in practice? If your company processes or stores customer information or data overseas, you must first obtain the consent of any individuals concerned. Similarly, any third-party company you rely on for marketing or relationship management services that’s based overseas will need to adhere to relevant GDPR stipulations, too.
This can be spelled out in any online enquiry or confirmation forms your company might be using – as well as in your online privacy statement.
The bottom line
At the end of the day, your company’s compliance with GDPR is crucial. Some of the stipulations on obtaining consent might seem trivial – and they can certainly be a pain. But if your company is found to be noncompliant with GDPR, the financial repercussions could absolutely ruin your business.
That being said, there are plenty of ways to work around GDPR in order to establish prosperous marketing and business processes. A lot of this is common sense – and when in doubt, you should seek guidance from the ICO.