Customers across the globe have become increasingly wary about the way in which companies are using and sharing their personal data. That’s why the European Union stepped in with sweeping legislature designed to empower consumers and punish companies for infringing on people’s privacy in May 2018. It’s called GDPR, and if you handle any data whatsoever, it affects the way you do business.
We’ve created brief guide to help you to understand GDPR rules and how your company can operate within them.
Big data has completely revolutionised the way companies do business. Thanks to rapid IT developments, companies now have unprecedented access to information about their clients, customers, marketing leads and everything in between. It’s fantastic for business owners attempting to improve their services and strengthen sales – which is why a staggering 85% of companies are trying to become more data-driven. But with great power comes great responsibility.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework set up by the EU, which came into law in the UK in May 2018 via the Data Protection Act 2018. Its rules apply to all European states – including the United Kingdom. The UK Government has stated it intends to incorporate the GDPR into UK data protection law after the end of the transition process of leaving the EU, which could be effected in practice by not amending the Data Protection Act 2018, which has already incorporated it.
GDPR spells out the way “controllers” and “processors” use and store information. If you’d like to learn more about controllers and processors, the Information Commissioner’s Office (ICO) has an all-encompassing guide spelling out exactly who they are and how to tell the difference.
The most important thing about GDPR is the penalty your company may be liable to pay if you’re found to not be compliant. Under GDPR rules, the ICO can impose fines of up to €20 million or 4% of your company’s worldwide turnover – whichever is greater.
How does GDPR work in practice?
GDPR imposes tough rules on companies in several key data and privacy areas.
First and foremost, GDPR penalises companies for being unclear with customers when signing up for marketing communications. Individuals must explicitly opt-in and give consent for any company newsletters, marketing calls or other messages.
If your business uses online forms, you cannot use pre-ticked boxes. Your company must also clearly communicate their intention to use data and approach individuals via multiple platforms. That means if you’re going to contact a customer via email and SMS, you need to spell that out on your enquiry form, so that they can pick and choose how you’ll be using their data at a granular level.
GDPR also contains robust privacy regulations. Companies must explain how and why they’re using data, how long they’ll hold on to it, explicitly state third parties they might be sharing it with, and explain individuals have the right to opt-out or complain if they’re not happy with how their data is being used.
The trickiest issue for companies in terms of GDPR compliance is grandfathering consent. Companies are only be able to process and keep data about staff and customers that was collected under the previously outlined rules about giving explicit consent.
Companies are allowed to “grandfather”, or keep using data collected before May 2018, as long as it was gathered in a way that was already GDPR-compliant – but examples of pre-existing compliance are rare.
Another crucial aspect of GDPR is that it stipulates large businesses and public authorities need to appoint a designated Data Protection Officer to be responsible for all of this data. You’re allowed to appoint a single data protection officer to act for an entire group of companies if you need to. This doesn’t apply to small companies, unless they’re engaging in large-scale systematic monitoring or handling of sensitive personal data.
GDPR also contains child protections in terms of data. All potential enquirers under the age of 16 must provide companies with explicit permission from a parent before they’re allowed to process user details.
Finally, GDPR is safeguarded against national borders by its clauses on international data use. Even if your company is based outside the UK, it must comply with all GDPR rules if it’s using or monitoring any data relating to an EU citizen. Likewise, your company must obtain explicit permission from an individual to transfer or use their personal data anywhere outside the EU.
Consent and privacy
If your company needs to be GDPR-compliant, valid consent is going to be the first major hurdle. Consent is defined as a freely given, specific, informed and unambiguous indication of the individual’s wishes. If you want to use a customer’s information to process a sale or keep in touch with marketing emails, that’s what you need to obtain.
More importantly, you’ve also got to keep records so your company can demonstrate that consent has been given by the individual.
All requests for consent must comply with the following rules:
- Plain language: A request for consent must be in an intelligible and accessible form in clear and plain language, and in accordance with the Directive on unfair terms in consumer contracts.
- Separate: When a request for consent is part of a written form, it must be clearly distinguishable.
- Affirmative action: The consent must consist of a clear affirmative action. The use of “pre-ticked boxes” is not permitted.
- Consent to all purposes: If you’re going to use an individual’s data for multiple purposes, consent must be given for all of those purposes. You cannot ‘bundle’ consent. Policy wording is ambiguous, but good practice indicates compliance will equate to a clear explanation that individuals will more than likely be approached via multiple marketing platforms to supplement their relationship with a company.
- No detriment: Consent won’t be valid if the consumer doesn’t have a genuine free choice or are being punished by refusing or withdrawing consent.
- No power imbalance: Consent may not be valid if there is a clear imbalance of power between the individual and the controller.
- Not tied to contract: Consent isn’t valid if it’s a condition of performance as part of a contract.
- Withdrawable: The individual needs to be able to withdraw consent at any time, and must be told of that right prior to giving consent. In short: it should be as easy to withdraw consent as it is to give it.
If you’d like more information about what constitutes consent, the ICO set up a comprehensive guide to GDPR as part of a wider consultation project.
As previously outlined, consent given under the Data Protection Directive is valid under GDPR, but only if it meets GDPR requirements. This means your company cannot keep or use personal data which was provided to you without having met all GDPR requirements on consent.
This is a major issue for UK companies. If you’d like to keep using customer data without risking non-compliance, you’ll need to re-obtain consent. The easiest way to do this is to issue a message to individuals requesting they click through to a re-subscribe link using GDPR-compliant wording as per regulations on consent.
GDPR and children
GDPR standards indicate that someone under the age of 13 cannot give a company their consent in terms of data submission. Instead, companies must obtain consent from a person holding ‘parental responsibility’ for that individual.
One of the most crucial aspects of GDPR is that it transcends the EU’s borders. Your company can be registered anywhere on the globe – but if you’re handling data that belongs to an individual within the EU, you will need to comply with all relevant aspects of the legislature.
That means non-EU companies with customers based in the EU must adhere to GDPR. Likewise, UK and EU companies are obligated to inform individuals at the point of request if they plan to send or process their data outside the EU. Best practice indicates any foreign third parties should be explicitly named.
What does that mean in practice? If your company processes or stores customer information or data overseas, you must first obtain the consent of any individuals concerned. Similarly, any third-party company you rely on for marketing or relationship management services that’s based overseas will need to adhere to relevant GDPR stipulations, too.
This can be spelt out in any online enquiry or confirmation forms your company might be using – as well as in your online privacy statement.
The bottom line
At the end of the day, your company’s compliance with GDPR is crucial. Some of the stipulations on obtaining consent might seem trivial – and they can certainly be a pain. But if your company is found to not be compliant with GDPR, the financial repercussions could ruin your business.
That being said, there are plenty of ways to work around GDPR to establish prosperous marketing and business processes. A lot of this is common sense – when in doubt, you should seek guidance from the ICO.