Should you fear GDPR?
GDPR has been striking fear into marketers and boardrooms alike, but what is it? Should you fear it? How can you be ready for it?
GDPR is bringing data protection into the 21st century. It stands for General Data Protection Regulation and it comes into force on 25 May 2018. That’s less than a month away.
What does it mean really?
It is all about how you acquire, store and use personal data. It gives people far more control over their data as well as forcing data holders, such as businesses, to take care of that data.
There are huge fines if you are in breach of the regulations and could lead to fines of €20 million or 4% of your global revenue. These sort of fines could put a small organisation out of business. It is likely that data breaches will receive the biggest fines and if you do have one you must notify the Information Commissioner’s Office (ICO) within 72 hours of you noticing the breach.
I don’t hold personal data?
Most businesses will, whether this is HR data – names and addresses of current or ex-employees or business contacts. If someone can be identified from the data you hold, then this is personal data.
Six lawful bases for processing data
There are six lawful reasons for you holding and processing personal data:
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
However, an individual always has the right to object to processing for the purpose of direct marketing, whatever lawful basis applies. Some companies have decided that it is too much effort to hold data – JD Weatherspoons deleted all the personal data they held on customers, but this does seem extreme.
What are Individual rights?
If you hold someone’s personal data they have eight individual rights for their data
- The right to be informed – how their data was collected and used
- The right of access
- The right to rectification
- The right to erasure
- The right to restrictwww.ico.org.uk processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
I am going to highlight the two which are more likely to impact of marketing
Right to Erasure
This is not your right to a free ticket to see the 80’s pop band, but in fact the right to be forgotten. Individuals can ask for their personal data to be erased. They can ask verbally or in writing and you have a month to respond. The right is not absolute and only applies in certain circumstances, but if you are holding their details for marketing then it is likely that they will have the right to this request.
Right of Access
If you are holding someone’s data then they have the right to access their data and supplementary information and to verify that you are lawfully processing it – e.g. you have consent, there is legitimate interest or one of the other bases for processing.
You must provide this information within one month of the request.
Get your house in order
As a business you should view GDPR as an opportunity. It gives you the chance to get your data in order and to delete information you do not need. GDPR is not going away, so now is, get compliant, invest in protecting your data and remain transparent with your customers. The ICO website has lots of tips and guides including 12 steps to follow and a hotline if you are unsure. Find out everything you need to know at www.ico.org.uk