On top of the current laws and regulations covered by the Data Protection Act there are new rights being introduced that allow people to access the information that companies hold about them and obligations for all business that store or use personal data. As with most regulatory changes there are significant fines for those who don’t comply in event of a breach.
Beyond requesting access to their data which is currently included as part of the current data protection act, consumers have had their rights strengthened in terms of withdrawing consent too.In short, consumers now have more control and power and businesses have to implement stronger controls and processes when dealing with data capture, consent, storage and associated marketing preferences.
The key points covered by GDPR
Right to access - Individuals can now request access to any data held on them for free. (previously a nominal charge for £10 was applicable)
Right to be forgotten - Under the new GDPR regulations individuals can request to be removed from databases altogether (not simply flagged as ‘do not contact’). This doesn't just mean contact lists or email marketing databases but CRM systems too.
Data breach notifications - Individuals who have their data held must be notified of any data breaches within 72 hours of the event.
Privacy by design - Compliance with GDPR regulations and general data protection must now be taken into account from the get-go when creating new systems to ensure that personal data is secure and that only required data is captured.
Data Protection Officers - Public companies or businesses whose primary activities include data processing must now appoint a “data protection officer” rather than simply giving notice to local authorities.
What Do I Need to Do
The revised legislation will apply to all EU member states from 25th of May 2018 and is likely to affect all UK based businesses even post BREXIT given that GDPR will affect any business that handles any EU citizens personal data.
Explicit consent must be given
The area that is perhaps going to yield the most impact is that implied consent to ‘soft opt-in’ will no longer be allowed. For example automatically signing up web form submitters to marketing materials or storing a user's personal details without their explicit consent.
Businesses must now be able to provide evidence that any single individual explicitly gave their consent to communications and storage of their personal information and did not simply just have their data captured by default.
“Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.” - ICO
This includes dark UX practices such as pre checking “please sign me up to your newsletter” checkboxes or marketing to users without consent following product purchases. It will also be possible for customers to withdraw previous consent at any time, meaning you will need simple robust measures in place to handle this.
Accounting for individuals revised rights
Prior to the new regulations coming in place next year you should take steps to plan for the following:
Make your teams aware of the change - Ensure that your marketing, web, and management teams are aware of the changes and to update any marketing materials, processes and policies to take the new regulations into account.
Review existing databases - are you already collecting consent and is this consent method, date and time recorded? Are you able to quickly remove a user's details from your databases if requested? Is the data you collect stored securely and only as long as it is needed?
Implement procedures - implement procedures that address individuals new rights under GDPR covering how consent is gained and recorded, how this consent can be proved and how it can be easily withdrawn or an individual completely removed or exported from your databases if required.
Managing third party systems such as CRM’s and email marketing platforms
Aside from your website, connected systems such as CRM, email marketing software and personal detail based remarketing platforms will require significantly more care and attention as they too fall under the scope of GDPR.
As an initial step it would be prodent to ensure that, if you receive a ‘right to be forgotten’ request you can quickly and easily remove details from all of your connected systems. Try a dry run and see how tricky this is. Can you identify and access all of the systems where personal data is stored easily? Can it be removed without causing knock on problems? How confident are you that the customer data has been totally removed? What about backup systems and test platforms?
A right to be forgotten action means the complete removal of a person's details from your systems rather than simply flagging them as ‘do not contact’. On top of this, it may be worth ensuring that any suppliers who store personal details on your behalf are also GDPR compliant as you may may have an implied responsibility.
You can find out more about GDPR in the UK with the Information Commissioner’s Office here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
For an informal confidential discussion about how GDPR may affect your business, get in touch with us today.