The GDPR

1st November 2017

The GDPR legislation was announced into force on the 24/05/2016 and will apply to all EU Member States from the 25/05/2018. Two years for companies to prepare for compliance with just over 6 months to go.

The General Data Protection Regulation (GDPR) is a new set of comprehensive data protection rules. The goal of this legislation is to provide the same high level of data protection for EU residents in all EU countries with a unified framework.  The GDPR is coming into place to enforce the implementation of reasonable data protection measures, protecting consumers personal data and privacy against loss or exposure without consent.

Personal data is any information relating to an identified person (data subject) e.g., name, location, age, online identifier etc. Sensitive personal data is that information relating to the data subject regarding other identifiers such as race or ethnic origin, religion, political views, health and so on.

‘Processing’, in relation to our topic, is the recording, obtaining or holding of any information or data that is used to carry out any operation. When it comes to the GDPR there are two classifications of organisations that handle information or data.  A processor and a controller, these organisations have different degrees of responsibility. A data controller is a person who determines the purpose any personal data that is processed and what it is used for. A data processor is the person who processes the data on behalf of the data controller. An example of a Controller would be Howard Hunt, who are responsible for processing some clients (data controllers) data for their marketing communications. As a data processor one of the responsibilities Howard Hunt has moving forward is to make sure that all our clients are compliant with the GDPR legislation. Both data controllers and data processors can be held responsible for any data breach.

It is best to start your preparations for the GDPR early, as the implementation could impact business resource and may require a DPO (data protection officer) especially if you are a large organisation. To begin with you should look at your current data holdings, where it has come from, how you obtained it and what you are doing with it. An information audit is an advisable procedure to achieve best results in doing this. The GDPR requires you to obtain full records of all your processing activity. Having this documentation will help when it comes to updating data, the GDPR is about transparency, therefore if you hold information on a data subject that is inaccurate and have shred this with a 3rd party you must tell that 3rd party so they can update their records. Having an information audit will make this process much easier as well as helping you comply with the GDPR’s accountability principle. You do not want to be the one responsible for a breach. Reviewing your privacy notice is also important, this will allow you to make changes in time for the GDPR implementation, you can see privacy notice code of conduct on the ICO’s website for full information on what is required.

Individual’s rights and access has changed slightly compared to the current DPA (data protection act). With this is mind you should consider whether you need to review your procedures and make changes. This change is the first in many years and is heavy in the press, although many of these rights have always been established the GDPR has enhanced them so you may find an influx of requests. Be sure you are prepared when someone comes to you requesting to have their data deleted (forgotten). Large organisations may need new software to handle this amount of information and requests.

You need to also identify your lawful basis for your processing activity. This need to be explained in your privacy notice. The GDPR implementation can cause some practical implementations here as some individuals rights’ will be modified depending on your lawful basis. For example, if consent or opting in is your lawful basis people will have a stronger right to have their data deleted.

Consent, how you seek and obtain information is ever more important now. You need to review how you record and manage consent from data subjects. The historic ‘tick box’ that is automatically pre-ticked isn’t going to comply with the GDPR. Consent must be given freely and must stand separate to other terms of agreements. As well as content to opt-in you must have a clear opt-out or withdraw consent, this is where the data subject has more rights over their data.

It is important that all your employees know the differences the GDPR will make to your business and their roles. It is also important to explain especially for all marketing purposes, that the GDPR is our friend, and ‘consent’ is making our jobs easier! There is no longer the worry of sending out information to a whole group of recipients who don’t care about what you have to say or offer, your campaign segmentation can be even more defined and reach audiences that ARE interested, from a marketing perspective this can only mean one thing surely? And increase on ROI and maybe even less spend! We can only wait and see.

If you’re worried about the GDPR and your business you can find further information on the ICO website. If you’d like any advice on your marketing campaigns or wish to speak with anyone in regards to your relationship with Howard Hunt, now or in the future, please contact us on 01322 414 000 or email enquiries@howardhunt.com