What is the GDPR?
Coming into force on the 25th May, 2018, the General Data Protection Regulation (GDPR) represents the most comprehensive change to data security in the last two decades.
The GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The regulation also aims to give citizens greater control over their personal data, as well as simplify regulatory reporting for international businesses, standardising reporting within the EU.
While the GDPR is principally an EU regulation, you are liable if you process the data of EU residents, regardless where you (or your business) is in the world. This means that non-European companies will need to comply with regulations and a failure to comply could come with a penalty of up to 4% of your worldwide turnover. Something you most certainly want to avoid.
This blog will serve as a straightforward and concise guide to the GDPR.
Who does the GDPR apply to?
The GDPR applies to any business that processes the data of EU residents, regardless of whether you are in the EU or outside. Furthermore, under the GDPR, both ‘controllers’ and ‘processors’ are held accountable for data management. But firstly, the definitions of the two:
- Data ‘controllers’ are those who define how the data is used and processed. Data controllers are essentially anyone – or anything - that holds and controls the personal data of individuals. For example, government bodies, voluntary organisations, hospitals, or even your Internet Service Provider (ISP).
- Data 'processors', on the other hand, process and manage personal data on behalf of the controller. For example, payroll companies, accountants, market research companies, surveyors – and many others – all process personal data on behalf of someone else (another individual or company).
Also, for UK businesses, the GDPR will still apply. The UK government has confirmed that it will indeed adopt the GDPR, despite Brexit, and it will apply in the UK from 25th May, 2018. A general rule of thumb is this – if you provide any goods or services to anyone in the EU, assume the GDPR applies.
What does the GDPR mean for your business’ marketing activity?
- Explicit consent for marketing.
One aspect that the GDPR addresses is the matter of consent. At the moment, you can engage with and market to individuals without explicit consent, relying on soft opt ins and purchasing email lists from third parties, marketing to every individual on that list. From an Inbound Marketing perspective, this is not good business, as interrupting people who have never heard of your company with email blasts is the quickest route to being blacklisted and blocked.
Under the GDPR, businesses will need to obtain explicit consent – a clear affirmative action from website visitors or contacts that signifies their agreement to their data being processed. Individuals must know what their data is being used for and what they are agreeing to – so be plain with your website visitors!
Also, consent is specific to the type of communication in question, so if an individual opts in to cookie tracking, they have only given their consent for cookie tracking; whereas if they’ve given consent to be communicated with over email, they’ve only given their consent for email communication. You must get consent for each element of your marketing activity. So you will need to review the wording on your website’s cooking tracking and data privacy policies.
- Opt out and opt in must be available
Another key point is that consent cannot be implied or inferred from silence, pre-ticked boxes or inactivity – data subjects must take some form of clear affirmative action, such as an opt in, to indicate that they are indeed happy to hear from you. No more assumed opt in!
- Individuals must be able to access their data
Another aspect in regards to the GDPR, is the right for individuals to request information on how their personal data is being processed, including where and for what purpose. The information must be provided to the data subject free of charge and in a machine-readable, electronic format. For marketers, this means having a complete record that includes all of the data you currently have on that individual. I strongly recommend that you use a system which makes it easy for you to export this data and share with an individual who has requested it.
- Right to be forgotten and data lifecycles
The right to be forgotten, also known as the ‘right to erasure’, enables individuals under the GDPR to request the deletion or removal of personal data where there is “no compelling reason for its continued processing” – essentially when that data has no real use to the business. There are certain instances where individuals can request the erasure of their data, which are:
- Where the personal data is no longer necessary for what it was originally obtained for
- Where the individual withdraws their consent.
- Where the individual does not want their data to be processed and there is no real reason to continue processing that data.
- Where the personal data was processed against the data subject’s will
- Where a legal obligation requires for that data to be erased.
With around nine months until the GDPR comes into play, there’s plenty of time to get your data, systems and processes in order. So, plan and act now, rather waiting until 25th May 2018. I’ll be sharing some useful hints and tips over the next nine months to ensure you’re fully aware, and compliant with the change in regulations. Stay tuned for the next blog that tackles what the GDPR means for your business’ marketing activities – and what you can do to prepare thoroughly.
Are you a HubSpot user? If so, this in-depth guide to the GDPR and what it means for your business’ HubSpot marketing is tremendously helpful, and can be downloaded via the button below.
Also, if you still have questions about the GDPR and what it means for your business, please check out this GDPR FAQ which can be accessed by clicking the link below.