If you haven’t heard about the GDPR, then you soon will. The new EU-wide General Data Protection Regulations will be enforced on all member organisations from the 25th May 2018 and will apply to all organisations globally, that store and process personal information about individuals who reside in the EU. As a result, the GDPR will be relevant to UK businesses long after Brexit. The regulations are detailed and prescriptive and there are some severely punitive measures that can be applied by the Information Commissioner’s Office (ICO) for breaching them.
These regulations have come about largely because of a series of data breaches at big, consumer-facing businesses. For example, Sony had 77 million customer records stolen in 2011, this included individuals passwords and online activity profiles. In October 2015, phone services provider, Talk Talk, had 150,000 of their UK customers’ names, addresses, dates of birth, email addresses, bank account numbers and sort codes stolen. For that breach, Talk Talk was fined £400,000 by the ICO, which is widely seen as a marker for future breaches. Quite understandably, the public and industry regulators alike have become very concerned about the safety of our digital identities. However, we readily give elements of our digital identity to anyone who asks for it. In return; the ability to pay our council tax online; book a flight or join social media, we don’t hesitate in releasing information that is uniquely personal to us.
The GDPR has been designed to return ownership of our personal data to us regardless of who has access to it. It applies to the way that the information is stored and processed by any organisation, private or public. It could be the company we work for, the venues we attend or the doctors we are registered with.
There are a minimum set of measures that any organisation will need to put in place that will allow them to identify exactly what personal information they store and who has permission to use it. There will be no excuse for not having the right security and processes in place and there is a requirement to identify at least one person to take ownership and responsibility for their organisation’s GDPR compliancy. So, where to start? A good place is with your marketing activities.
Most businesses maintain a list of customers and potential customers that they plan to market their products to. Regardless if you are an architect, window manufacturer or an industrial training provider, you are likely to want to send information to prospects about your products, promotions and events. With the GDPR you now must be very careful about the audience and content of your electronic marketing activities. The Information Commissioner’s Office says on its website:
‘The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission’.
The GDPR introduces two concepts; data processing, for example an electronic marketing campaign to a list of individuals; and consent by an individual to the processing of his or her personal data for one or more specific purposes. The GDPR explicitly defines consent as:
‘any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed’.
Effectively, to ensure compliance with the GDPR you must seek, obtain and be able to demonstrate that you have the consent of an individual to process their details in a marketing campaign. Furthermore, consent must be informed and unambiguous, if the intended processing covers multiple purposes, consent must be granted for all purposes. When an individual is asked for consent, they should be given the choice as to the specific purpose rather than an all-inclusive consent to data processing for multiple purposes.
The question then, is how do you get consent? Those spreadsheets of hot leads lying around your laptop, which get updated every now and then, will definitely not be compliant with the GDPR. After May, you will have to maintain records to show when and how you obtained consent and exactly what for and when it will expire. However, if you are not able to email a list of prospects to get GDPR compliant consent because you will be in breach of the consent rules in GDPR, then your hands appear to be tied.
One obvious route is to use your website. If you ask every visitor for their consent the first time they visit your website – in an unobtrusive yet transparent manner, you are self-selecting valid prospective customers. If they do not wish to give consent and navigate away, then either your website is not compelling enough or they were unlikely to become genuine customers anyway. At the point that you have them hooked, ask them if they consent to receiving updates about new products and special offers and let them choose how that contact will come. Give them the opportunity to read more about how you look after their personal information; their right to have it deleted and who is responsible for it and you will easily have complied with the terms of the GDPR.
DataCAT is a simple, customisable web-based application that will allow businesses to be transparent to their approach to data regulations and how they process data for marketing and communication purposes.
DataCAT stands for Data Compliance Acceptance Tracking. Via a simple online editor, you will be able to design and implement a pop up on your website which can be applied in minutes.
Through DataCAT, you will be able to promote your company’s data policies from a library of pre-loaded statements and choose how you collect, store and track website data in a manner that allows users to explicitly opt-in to their data being used for compliant and consensual marketing.
For more information on DataCAT read our introductory blog or visit the product page which includes an explanatory video on how it works. Alternatively, please get in touch with the team and we’ll be happy to provide more detail.