10 Things you need to know about the new General Data Protection Regulation (GDPR)

Tuesday 4th April 2017

Under the current UK Data Protection ACT 1998, companies are allowed to use a “soft” opt-in approach when it comes to data collection. This means that any data collected on customers, in particular, email addresses, can be used to form the basis of marketing communications for an organisation. But with the EU’s new General Data Protection Regulation (GDPR) coming into place, new ways in which data has to be collected will have a huge impact on organisations and their marketing activities.

What is the GDPR?

The GDPR  follows on from the current Data Protection Act. It gives consumers more say in how companies use their data, making data protection rules near enough the same throughout the EU.

The data protection rules will apply to all businesses based in the EU and/or doing business in the EU. They will have to comply with the new regulations if they collect any personal data from EU citizens. The new regulations will be much tougher, introducing fines for companies not complying. It has been created to help improve trust in the emerging digital economy.

10 Things you need to know about the GDPR

1. The new GDPR will begin from 25th May 2018. Businesses have until then to prepare their data until the law actually applies to them.
2. If your company suffers a data breach that goes against the new regulations, you must notify the Information Commissioner’s Office (ICO) within 72 hours of the breach. This short deadline gives you the chance to report the nature of the breach and the approximate amount of people that have been affected by it. The people affected should also be notified, even if this takes place before reporting it.
3. Not complying with these new regulations could result in a penalty. If a breach is not reported within the 72-hour deadline, there is a risk of being fined up to €10 million or 2% of your global annual turnover – the fine will be based on whichever one is greater. Furthermore, the ICO can inflict a total ban on all data processing within an organisation, if found to be in breach of the regulations.
4. Personal data now covers a huge range of information including photos, bank details, social media names and posts, medical information and IP addresses.
5. Pre-ticked boxes or users having to actively opt out of communications will no longer comply with the new regulations. Instead, a double opt-in process will become essential. Prospects will have to tick a box to sign up for marketing communications and then confirm by a further email.
6. Full records of all data that has been processed by an organisation including the type of data and its purpose, will all have to be kept on record. Much more detailed descriptions of the purpose of data collection will have to be given to all participants.
7. Consumers whose data you have collected now have the ‘right to be forgotten’. If requested, their data must be completed erased. This would mean that the controller of the data is responsible for telling other organisations linked to them e.g. Google, to delete all copies of the data.
8. If a consumer does request access to their data, you will no longer be able to charge them a fee for complying with this request. As an organisation, you have 30 days to complete the request and disclose the information.
9. Even though Article 50 has just been triggered, it will be another two years before the UK officially leaves the EU. Therefore the GDPR will still apply to the UK during the next two years.
10. Organisations that come under public authorities, organisations that engage in large-scale systematic monitoring and organisations that process lots of sensitive personal data will all need to appoint a Data Protection Officer.

Although these new changes to data protection may seem to hinder the amount that marketers can communicate with their audience, it has actually been put in place to make data processing much easier for both businesses and consumers. The constant change in marketing will allow for businesses to adapt to new environments. And even though there is nothing that can be done except for complying, the earlier businesses start to comply with these new requirements, the better prepared they will be when the new regulations come into place in 2018.

The Effect of GDPR on Websites

Many websites will find both their website privacy policy and cookie policy affected. Both will need to comply with the new regulations as both policies involve the collection of personal data, which must be stated.

The GDPR and Privacy Policies

Users of a website must have a clear understanding of how their personal data is processed. Therefore the privacy policy must be concise, transparent and easily accessible to all users. This means that it should be written in clear and plain language for users to understand.

The GDPR also includes a much longer and detailed list of information that must be included in the privacy notice. The key here is just making users more informed on the data the website is collecting from them. The ICO provides a table of the new privacy policy requirements which you can work into your privacy policy to ensure you are prepared for May 2018.

The GDPR and Cookie Policies

Cookie policies are also affected by the implementation of the GDPR. The new changes mean that many websites are currently not meeting the new requirements. The GDPR covers any form of personal data, which is why it involves the use of cookies. Cookies store unique data about a user, meaning that personal data is stored. This means that cookie consent will now need to comply with the GDPR.

As implied consent is no longer enough when collecting data, users will have to make a positive action to signal that they consent to the data collection from cookies. This means that the current pop-up used on many websites stating ‘By using this site, you accept cookies’ will no longer be enough. This also means that sites will need to provide the option for users to opt-out. One of the main points reiterated by the GDPR is that withdrawing consent must be as easy as giving consent in the first place.