In just a few weeks’ time, GDPR will be here. You’ve probably heard a lot about it. You’ve probably been confused (just like everyone else) by the contradicting guidances issued by various government departments and agencies. Is your business ready for GDPR?
What is GDPR and what does it stand for?
GDPR stands for “General Data Protection Regulation”. It is an EU regulation that was passed in April 2016. An EU regulation is a law that overrides all national laws and is the same across all 28 EU countries. It’s a very different animal to the EU Directive on Privacy and Communications 2003 where each member country could apply their own interpretations to a basic set of guidelines.
GDPR will be enforced from the 25th May 2018. This doesn’t give businesses much time to check if they are ready for it nor to make the necessary changes to their ways of working if they aren’t.
Gaining consent for marketing under the GDPR
With GDPR, you’ll now need to gain somebody’s explicit permission in order to store and use their data.
As you can imagine, this is especially important to companies and how they market to customers. Many companies rely on their database of clients who they can run email and telesales campaigns to – it’s a profitable and repeatable way to bring revenue in.
Many business owners are wondering if GDPR will stop them from using their customer databases. In most situations, they will be able to continue using the same databases as they were pre-GDPR if their clients are limited companies.
In fact, you’ll still be able to buy in third-party marketing databases after GDPR where you have not been given specific and individual consent to send marketing material as long as the following conditions are met:
- the database only contains limited companies
- the marketing you carry out is for products and services which will benefit the business an individual works for as opposed to the individual themselves (think public liability insurance – fine, home and contents insurance – not fine).
For consumers, sole traders, and partnerships, you will need to opt everyone in again to your marketing database before 25th May unless the consent given to you to use the data by the recipients was “demonstrable and unambiguous”.
This is (ironically) ambiguous as it is open to interpretation. We recommend that if there is any doubt at all, you should gain new consent from your customers to avoid any fines.
Building on the Data Protection Act 1998, GDPR requires you to have a “lawful basis” to process personal data. There are six “lawful bases”:
- consent (which a consumer can withdraw at any time)
- contract (you need this data in order to be able to fulfil a contract agreed between you)
- legal obligation (you need this data to comply with the law)
- vital interests (this protects a person’s life)
- public task (processing is required so that you can perform a task in the public interest)
…and the big one…
- legitimate interests (you need that data for your interests or a third party’s interest unless you need to protect the data to protect the individual).
You decide which of the six lawful bases applies to your own database. Each field of data you hold, under whichever lawful bases, must be no more than is needed to perform the task at hand. For example, you could not hold records of someone’s home address 10 years ago because it is of no use to you now in selling them widgets.
Protecting your data
You must take all reasonable steps possible to prevent data falling into the hands of others, particularly cybercriminals. This is a whole other area that we will cover in a blog article in forthcoming weeks.
We can help
GDPR is coming and it’s going to change everything. Get it wrong and the fines are enormous – up to 4% of your turnover or up to EUR20m.
Marketing experts predict that direct marketing will die out in the next 5 years. Data and cyber security experts think many companies could be crippled by increasingly aggressive criminal attacks.
If you want to know more, take a look at the following blog post for GDPR compliance for small businesses at Just Add Tech’s website. If you need further help get in contact with them at https://www.justaddtech.co.uk/contact/ or on 01202 800629.