Having joined the GDPR bootcamp for Marketers in Reading on the 15th of September, I wanted to share what I have learned during this full on (but very enlightening) day in an easy to digest blog:
The world is undoubtedly changing. The UK currently relies on the Data Protection Act 1998, which follows the EU Data Protection Directive 1995, to control what happens to the personal data given to companies. However, this legislation is soon to be superseded by GDPR, which will be enforced across all businesses in the European Union from May 2018.
GDPR is the EU’s General Data Protection Regulation and is the result of four years’ work carried out by the EU in order to bring existing data protection legislation up to date and to standardise it across the EU.
GDPR will mean tougher fines for breaches and non-compliance, and provides the public with a greater say in what companies are allowed to do with their personal data. The current legislation was enacted prior to the advancement of internet and cloud technology and the existence of companies like Google and Facebook who routinely swap users’ data.
It is hoped that GDPR will strengthen worldwide trust in the digital environment and will provide businesses across the globe with a simpler, clearer legal framework within which to operate, saving organisations around €2.3 billion annually.
GDPR will apply to all EU member states from 25 May 2018, including the UK until Brexit happens. The UK Government have put forward a new Data Protection Bill, which mirrors GDPR. Once this legislation has been passed, it is thought that the UK will basically copy the EU legislation into British law. Copying the GDPR legislation should mean that the UK’s own data protection standards are acceptable to the remaining EU countries after Brexit. Acceptance is essential in order for the UK to be ‘whitelisted’ as a safe and secure place where EU data can be transferred, allowing international businesses that do so to remain EU trading partners.
GDPR will affect all areas of inbound and outbound marketing. It is indeed a big opportunity for marketers to adopt a more personalised and smarter approach. The marketing team should identify news areas to drive genuine interaction with a clients and/or prospects and/or suspects – to get genuine interaction!
In terms of the sales team perspective, after May 2018 they will have to adjust to more strategic data collection and management, resulting in more valuable conversation with prospects who have chosen how they want to engage with them throughout the sales funnel – a valuable way to exchange information!
Your day to day marketing and sales initiatives will be impacted in the following ways:
The ‘new’ principles and what you will need to be accountable for are as follows:
1. Lawfulness, fairness and transparency (the way you handle and manage your customer data)
2. Purpose limitation (How long have you been keeping the data for?)
3. Data Minimisation (What data do you currently hold and for what purposes? Do not keep more than what’s needed)
4. Accuracy (How accurate is the data you hold?)
5. Data retention (is the data you hold still necessary for the original purpose of processing?)
6. Security (How secure is the data you hold?)
All of the above must be consent data, meaning that the information was freely given for a specific purpose and the customer/lead was informed about what you plan to do with the data in an unambiguous manner. In addition, their data should be erased at any point in time at their request with no particular reason needed. This will bring the end of cold calling and mass e-mailing!
“Customer-business relationships are a value exchange and the benefits of getting this right are greater than legal compliance. Who doesn’t value customer trust?” - Elizabeth Denham- The Information Commissioner.
Personal data under GDPR includes:
* Anything that is classified as personal data under the DPA also qualifies under GDPR.
If the data is no longer required for its original purpose, the user has the right to demand that it is deleted (‘right to be forgotten’). Similarly, this rule applies if the user objects to the way their data was processed or collected. An organisation’s controller is responsible for the removal of data/information supplied other organisations, e.g. Facebook, as well as any links to copies of it. Data must be stored in commonly used formats so that it can easily be moved if the owner asks, and such a request must be expedited within one month.
If a company suffers a data breach, it must inform the UK Commissioner’s Office within 72 hours of becoming aware of it. Before this, companies must only inform the people who have been affected by the breach.
Failure to meet the 72-hour deadline could result in the imposition of a penalty of up to 2% of global revenue, or €10 million, whichever is greater. In addition, if the basic principles laid out in GDPR are not followed, companies could be fined up to 4% of their global revenue, or €20 million, whichever is higher.
There is still much work to be done in order for all EU businesses to be fully compliant with GDPR before its final implementation next year. Those who fail to prepare and put in place the necessary tech to protect their clients’ data could find themselves falling foul of hefty fines and potential ruin. However, bear in mind that if you get a complaint despite all the efforts put in place, the more important fact is that you have shown due diligence and it will go a long way to minimise any consequences.
“ At SD Worx we are committed to providing thought leadership around the impact GDPR will have on Payroll and HR. We are working hard to remain at the cutting-edge of readiness and support our customers in preparing for GDPR and the fast approaching deadline of May 2018.” - Suhail Khan, Chief Marketing Officer.