22 Jul GDPR? ICO? What on Earth does that mean for you and your business?
Many of you will have heard the terms GDPR and ICO, but what are they and is it really important?
Well, the answer is YES it is very important!!!!!!!!!!!!!!!
The GDPR is the General Data Protection Regulation, and no it’s not something that doesn’t apply to you. As a business owner, it affects you and ignorance is NOT an excuse so I thought I’d try to simplify exactly what it means to the non-jargon-speaking native.
The new GDPR system is designed to simplify what is currently 28 different data protection schemes and here’s what you need to know to be compliant. Penalties can include up to 4% annual global turnover, or €20million, whichever is the higher and at these stakes can you afford not to be compliant?
We have all signed up for a product, deal or download, and after that, well, our emails can get spammed by hundreds of emails from unrelated companies. We have all been added to dialers that call us about an accident, or PPI claim and it’s frustrating – how do they get hold of our information? Many of us were involved in the 2017 Bupa, Wonga, Three or Sports Direct data breach, and we have no idea what information is held on us or indeed who has access to this. Well the GDPR is designed to stop all unsolicited marketing. Under the GDPR we have to give our CONSENT for this information to be held, whether this is on a personal or business level. It is designed to keep all of our personal data safe and secure and to hold accountable those who have access to it. It affects consumers, businesses, employers and affects ALL personal data.
It affects ALL data that is kept by a business.
As a business we all have access to and use a large volume of data, ranging from customer and supplier contact details, addresses, and so much more. Not to mention the information we hold on our staff. When you think about it, we really do have a plethora of information that we rely upon to operate our businesses.
So how do you manage this data? Are your records secure? locked away? on a GDPR compatible, secure, software system? What processes do you have in place to ensure security and confidentiality?
If you are, or you provide products/services/market to any EU business, you must be compliant with the GDPR. It affects businesses worldwide.
Businesses need to look at their data, how they process it, what they use it for, and how long it is kept, and have policies and procedures in place to secure all data to ensure that data breaches are kept to a minimum.
Levels of data:
There are currently 2 levels of data:
- Personal data – this includes anything that belongs to an individual such as name, address, email, and any notes held about any contact or communication you have with them.
- Sensitive data – this includes race, religion, medical history and similar information.
The GDPR regulations come into effect on 25th May 2018, so you must ensure that you are addressing these issues and adjustments NOW to ensure that you comply with the regulations in time.
The Direct Marketing Association predicts that 54% of businesses are expected not to be compliant by the deadline. As the rules are much stricter than the current laws businesses MUST put the work in to ensure that they are compliant in time.
The GDPR now insists that you MUST state the reason for collecting data so your visitors can give informed consent. You will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with how you are handling their data.
The individual must make an ACTIVE step to subscribe. Silence, an opt out check box or implied consent is no longer an acceptable way to comply. A tick box must be accompanied by easily consumed wording that states that in ticking the box the individual agrees to have their details used for specific marketing purposes. Tick boxes can no-longer be pre-ticked, as an ACTIVE choice MUST be made by the individual.
IT MUST BE JUST AS EASY TO OPT OUT AS TO OPT IN with all online marketing.
The legal consent contracts MUST stand out from all other parts of the contract. It must be clearly visible, and must not be buried amongst lengthy blurb. It must be “intelligible and easily accessible” and in a “clear and plain language, in particular, any information addressed specifically to a child”
Consent must be unambiguous and you must be able to document it. Verbal consent is fine, but you must remember that you must display relevant documentation to supply to the relevant authorities upon their request. Even a face to face meeting will require a written consent.
Consent needs to be supplied for specific purposes. If you would like to use the information for further purposes you will need to obtain further consent to do so. An agreement for “All future use of my personal data” phrase is no longer acceptable. You CAN, however, list several purposes in one consent statement, so you can accommodate all expected data purposes. This will mean that you will need to be far sighted whilst not being too greedy, which will scare off potential customers and impact the minimalisation policy within the GDPR, which I will talk about later.
Face to Face / Events /Business cards
- You may be given a business card, and this will have personal data on it, but the act of being given this does NOT mean that they have given you permission to add them to your database, or even to target them with your informative marketing mailings and communications. The first thing that you need to obtain is their CONSENT to communicate with them.
Perhaps the way forward when it comes to compliance is adding to the business card, a line of consent e.g. I give consent for this information to be used for the purpose of:
If you are at an event perhaps using a tablet to ask potential customers to review your consent statement and complete an opt-in form there and then might be the best and easiest solution.
Either this or ensure that upon input of this data onto your database, an email is sent, asking for them to give consent for you to contact them, for you to hold their data for a depicted length of time, and to confirm how you intend to use their information, and its purpose. If the consent is not accepted then the data must be removed from the database immediately.
Online sign ups and direct marketing
When you have an online sign-up form there is a double opt-in process that you will now need to adopt. When an enquirer gives you their name and details to download some content from your website or sign up to your newsletter, you will now need to send them an email or re direct them to a click through to confirm that they want to be on your subscriber list. By doing this you are creating an audit trail to prove their consent has been given.
Even though you may have obtained consent from your contact to send out informative mailings to them each one must also have an option to opt-out, and the opt out link MUST WORK.
Cookies can still be used, however, if you collect data that can identify an individual you will need to have an opt-in policy in your cookie campaign. Customers have the right to refuse to be profiled, this can include such things as analysis of buying patterns. If the individual objects, you can no longer use their data for marketing purposes. Tracking data will need to be turned off by default, until the visitor has given their consent.
Purchasing Data Lists
You can still purchase Data Lists, but you will be viewed as a Data controller in the eyes of the GDPR. This means that you will be legally responsible for the data protection, and you will need to ensure that the members of the list have given their express consent to you NOT just the provider of the data list.
You will also be required to know the origin of the data, where it was collected, by whom, what the contacts were communicated about the purpose and storage period – If you’re asked your subjects have the right to know these facts, and you have a legal obligation to oblige and provide this information.
As with any marketing implications, staff will now also need to give consent for you to hold their data. In certain instances, they reserve the right to have certain data removed or updated on your files.Staff have the ability to request access to their data. Due to the ability to withdraw consent, this will make it very difficult for employers to process employee data. Employers may need to rely upon legal grounds for the need to hold staff data. The consent will need to change from the current brief clause within an employment contract to a privacy notice, as advised by the ICO.
When collecting online payments there needs to be a clear statement about where the data goes, and who is responsible for processing and storing it. This is designed to offer individuals and businesses improved security and rigid protection. Due to the fact that consent can be withdrawn at any time auto renewal and subscription payment processes may need to be reviewed.
Transparency of Data Use
A business MUST be clear on how the data will be used, this can be done via privacy policies or notices on your website, and attachment to any online forms.
You must state:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on individuals concerned?
- Is the intended use likely to cause objection or complaint?
The Right to be Forgotten – Withdrawal of Consent
Opting out is not enough to cover the GDPR right to be forgotten. Any contact has the right to ask to be forgotten by your company and all of your systems. This means that you must comply and delete all of the data you hold for this contact unless of course, you have a legitimate reason for not doing so, e.g. needing to chase payment.
Within the GDPR is a data minimisation principle which states that “personal data collected shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed” The policy states that individuals are only kept included in the consent for no longer than is necessary for the purpose for which the personal data is processed.
Every business needs to ensure that they have correct procedures in place to identify, report and investigate a personal data breach. All organisations MUST report to the ICO “where a breach may result in a high risk of the rights and freedoms of individuals”. This includes loss of confidentiality or discrimination. The ICO must be informed within 72 hours of the breach.
It is also the duty of the company to inform all of those concerned.
Do I need to have a Data Protection Officer?
You will need to have a DPO in place if you are collecting a large volume of data, dealing with sensitive data or if you are a public body.
So what should you do to prepare for this new legislation?
- Review your current data – carry out a data audit
- Review your software and integrations
- Train staff
- Administer new consent and opt in procedures
- Assess legal grounds for processing legal data
- Understand the penalties
Is your software communicating and integrated? Is there an automatic update if there is an opt out? You need to ensure that all aspects of your software are addressed to ensure that there is no data breach.
You may find that once you have completed your data cleanse, and opt in process, that you will potentially have drastically reduced your cohort of data to work with but you can be sure that the people who have opted in will be far more engaged with you and your business.
The regulations are coming so you must ensure that you as a business are ready. If you need any help or advice contact us for a 1hr free consultation and advice to help get you ready and avoid not just the headache but also the fines!