What a digital marketing agency needs to do to prepare for GDPR
We recently sent out an email about the implications of GDPR and wanted to take the opportunity to say a little bit more about this topic.
First things first. What is GDPR? It stands for General Data Protection Regulation and comes into force on 25th May next year.
GDPR is a new EU regulation with the overall aim of helping to strengthen data protection for EU citizens, whether resident within the EU or elsewhere. The GDPR is a blanket set of rules that apply to all EU member states. Each member state will designate a Supervisory Authority (SA) to ensure compliance to the legislation.
GDPR sends out a clear message that the personal data of EU citizens is to be respected and protected, and that those organisations who fail to do so will face the consequences.
One immediate question is whether, given that GDPR is very much EU-orientated, it will still apply in the UK? The resounding answer to that is yes! There will be a new Data Protection Bill that will replace the current Data Protection Act (DPA) of 1998 and will transfer the GDPR into UK law. This overhaul of UK data protection laws is being spearheaded by Digital Minister, Matt Hancock who explains: “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
So how does the new GDPR legislation differ from the existing DPA? The DPA already places legal obligations on UK businesses to keep data safe and secure. In the words of the Gov UK website:
“The Data Protection Act controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection.”
GDPR takes things one stage further. Whilst many of its principles and concepts are similar to enhanced versions of those of the DPA, some are completely new. Therefore even if your business is currently fully compliant with the DPA, there will still be some additional measures to take.
The main emphasis of GDPR is transparency. It requires any organisation who collects and processes personal data – which it defines as a “Data Controller” – to inform people (“data subjects”) about:
- what personal data is being stored about them
- how this personal data is being used
- who has access to the data
- how and why data is being processed
- how long the data will be stored for
- who the data subject should contact about any aspect of the above.
It is also essential that the data controller ensures that people give “clear and affirmative consent” to the use of their personal data. They are also entitled to subsequently delete or correct this data. By “clear and affirmative” consent the Information Commissioner’s Office (ICO) means: “offering individuals genuine choice and control. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. Explicit consent requires a very clear and specific statement of consent.”
Under the provisions of GDPR, personal information about data subjects should also be given the additional protection of pseudonymisation. This is the process of transforming data in such a way that stops it from being attributed to a data subject without the use of additional information.
Some of the specific ways that GDPR – and its full incorporation into UK law – is likely to empower individuals are:
- making it simpler for people to withdraw consent for their personal data to be used;
- giving people the opportunity to ask for data to be deleted;
- requiring businesses to obtain “clear and affirmative consent” when they process sensitive personal data;
- expanding the concept of personal data to include IP addresses, DNA and cookies;
- letting people obtain more easily the information organisations hold on them;
- making it a criminal offence to re-identify people from pseudonymised data.
The above measures place a strong burden on businesses to protect data appropriately. The GDPR also requires the data controller to have suitable processes in place to deal with a data breach. Should a breach of identifiable or un-pseudonymised data take place, the data controller has a legal obligation to report this within 72 hours. The ICO has the ability to impose fines of 4% of annual turnover up to €20m!
As can be seen from the above, the impact of GDPR is far-reaching. There are few businesses today that do not use personal data in some way. Whether this is employee data, customer data, supplier data – or a combination of all these – if data relates to an individual then the new data protection laws will apply.
So what are the implications of GDPR for marketers? Whether you are a marketer for a business, or part of a digital marketing agency, much of your daily activity revolves around personal data. For most of us it will be a significant component of websites, apps, internal databases, CRMs, email and social media.
What are the things that we need to start doing now to prepare for next May? Here is our 3 point plan for getting GDPR ready:
1. Data Protection Officer
Appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of GDPR within your organisation. The DPO will then be the figurehead of GDPR and can keep data protection high on the agenda. They can ensure that GPDR compliance is not only achieved but then maintained. In most cases an internal employee (who is appropriately trained/informed) should be fine: but if you are processing personal data on a large scale then you could also consider outsourcing this role.
2. Data Audit
Conduct a personal data audit of all data currently being processed. For each item of data consider:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data?
If data is being processed on your behalf by third party data processors (for example Google, Mailchimp, Salesforce etc) you need to check that they are GDPR-compliant. In the case of US companies, they should also be US Privacy Shield compliant; the US Privacy Shield framework protect the flow of personal data between the EU and the US. Most third party data processors are becoming GDPR-compliant if they are not already, but should you find that this will not be the case by May 2018 deadline, you should make plans to replace them with a compliant provider.
3. Website updates
One of the main ways of obtaining marketing data is via a website and it is therefore this aspect that needs particular attention before May 2018. The following checklist was outlined in our email and here we add a bit more flesh to the bones so that you can appreciate exactly what actions you need to take:
1. Update your privacy policy to give more explanation about your data retention periods
You need to state how you use data – including which other databases and systems it goes to – how long you will keep it for, and explain how people can complain to the ICO if the need arises.
2. Have procedures in place to correct or delete personal data
The easiest way for people to do this is electronically, but you need to ensure that once it is changed or deleted on one platform that these changes then transfer over to every other place it is stored. You need to make this process as easy as possible for the data subject and it also needs to be free of charge.
3. The ability for your website to easily transfer data into a different system
You need to provide the facility for data subjects to move, copy or transfer their personal data from your system to another in a safe and secure way, for example by downloading their data or transactions with you in an easily portable format.
4. Consent can’t come from a tick box, it needs to be clearly explained and accepted
The aim of this provision is to ensure that consent must be freely given, specific, informed and unambiguous. It will also prevent automated decision-making such as profiling. Specific consent needs to be given for specific products and services, and your website may therefore need to build in additional consent points along the online customer journey.
5. Data breaches need to be reported
Better still, they need to be prevented. You will need to ensure that your website’s security is regularly checked and updated to avoid breaches. If a significant data breach does happen, in which data getting into the wrong hands could result in risk to individuals, you need to notify the ICO.
6. Data protection by design – your websites need to lead with GDPR
“Data protection by design and by default” is an express legal requirement of GDPR. Every aspect of the collection of personal data via your website needs to reflect this, so you will need to update your website accordingly. When developing new websites or online data collection mechanisms, think about data privacy right from the start rather than adding it in as an afterthought. This default also applies to reference to data subjects on social media: you need to assume that their required privacy settings will be the highest they can be.
We hope that this is a helpful start in your journey towards GDPR compliance, and will return to this topic over the coming months.
If you did not receive our email on this subject and would like to give your consent to be on our email list then do get in touch.
Similarly if you would like us to conduct an audit of your website, identifying the areas for improvement and providing you with a no obligation list of actions to become GDPR compliant then please do get in touch; we’re here to help.
