What is GDPR?
GDPR is the new General Data Protection Regulation which will come into force from 25th May 2018. It will replace the current Data Protection Directive 95/46/EC. The new regulation intends to strengthen and unify data protection for all individuals in the European Union.
But what about Brexit?
Even though the UK is set to leave the European Union, the government has fully committed to GDPR. From a global perspective Europe is leading the way with GDPR and although data protection is constantly developing, the rest of the world is likely to follow over time. And if nothing else, all you would have to do is store one EU citizen’s data on your system and you would have to be compliant with GDPR anyway. Any company not compliant with GDPR would face significant difficulty in trading with the EU.
So, what does GDPR actually involve?
Valid Consent: There will be stricter rules surrounding consent to use people’s data. Obtaining consent for processing personal data must be clear and seek an affirmative response or opt in system.
Transparency: People will have a right to see what information you hold about them. You must be able to tell any one person at any time how their data is being used.
The Right to Correction: Individuals will have the right to rectify any information that is incorrect.
The Right to Erasure: In some cases, people will have the right to have their data completely erased.
Data Portability: People will be able to request their data is moved from one service provider to another.
The Right to Object to Automated Processing: Individuals will have a right to object to certain types of automated processing.
How will GDPR impact PR & Marketing?
GDPR will impact all areas of businesses, it’s not just an issue for compliance teams. GDPR will arguably change the way in which marketing departments operate. In marketing we work with a lot of data, particularly when it comes mailing or analytics. Communications data such as name, email, phone number and address, all fall under the GDPR remit.
With GDPR in place, marketers will only be able to mail people who have opted in to receive messages. The sign-up process must include information to subscribers about the brand that is collecting consent, and outline information on the purposes of collecting their personal data. Records need to be kept of the given consent.
But what about people like journalists who make their contact details readily available? Although you are unlikely to face consequences for mailing journalists you must not be complacent. Only send journalists relevant content and do not abuse the access you have to their information.
There is no allowance for data collected without consent prior to GDPR. Many companies will want to work with marketing and PR firms to make themselves visible in new campaigns to retool and build brand awareness to encourage new opt ins.
You might think that there is going to be a mad rush to collect new data, but this is where ‘privacy by design’ comes in to play. Privacy by design is about being responsible users of information and only collecting the minimum amount of data required to conduct business operations. The data must also not be stored for any longer than is necessary.
Working with other organisations
In an increasingly globalised world of information sharing and collaboration, businesses often work with other partners or services to outsource areas of work. The original data owner is responsible for ensuring there is a procedure in place to confirm the data is used appropriately. There needs to be a formal control in order so that the information is only used for the purpose agreed. This could take the form of a contract or formal assessment of data security and privacy. It’s all about showing that you have effective regulation and control processes in place.
“GDPR won’t impact small businesses like mine”
GDPR will impact all businesses. Rightly so, larger businesses and corporations will have a lot more work to do to make sure they are GDPR compliant, as they often have large databases that feed in to one another. It will become mandatory for large businesses processing high volumes of data to appoint a Data Protection Officer. But small businesses also need to be able to prove they are compliant, even if it’s in the form of a 1-page document. You need to have some sort of document you could show a compliance officer to demonstrate you are GDPR ready. Any business you work with inside the EU, where sharing data is involved will be required to assess you to some extent in terms of GDPR. So, it’s worth getting it right.
What are your obligations?
Accountability: Demonstrate compliance by maintaining accurate data processing records.
Data Transfer: You are only allowed to transfer data if the appropriate safeguards are in place.
Data Security: All data must be kept secure and protected.
Data Breaches: Data breaches must be reported within 72hours.
Data Protection Officers: DPO’s will be mandatory in organisations processing large volumes of data.
Data Protection Impact Assessment (DPIA): DPIA will be mandatory if you’re processing activity results in a high risk to any person’s data rights.
What will happen if you don’t comply?
Regulators are super serious about data protection and responsibility this time around. Regulators in the UK have begun a serious recruitment drive, so companies will certainly be subject to checks. Data Protection Authorities and the Information Commissioners Office (ICO) will be able to flag companies that are not compliant and carry out an assessment. Consumers and individuals will also gain power from this perspective as they will be able to make complaints about any organisation they feel is using their data irresponsibly. Hefty fines will be placed on businesses who are not compliant with GDPR.
There is certainly a lot of information to take in surrounding GDPR and it is important to do your research and make sure your business is compliant. The emphasis is on being responsible data users and being able to demonstrate how you comply rather than defending yourself if you don’t. GDPR is a great opportunity for businesses and organisations to get into shape and promote how you control data use in a professional manner.
Benefits of GDPR
Enhance customer trust
Improve brand image and reputation
Strengthen data governance
Tighten information security
Increase competitive edge
It’s important to do your research and get the correct protocols in place. The ICO website is a great place for more information on GDPR. Check it out here.