GDPR - The Facts
After the General Data Protection Regulation (GDPR) was adopted by the European Parliament back in April 2016, firms were given a two-year grace period to conform with this new legal framework on data collection and processing.
It’s now just a matter of months till the GDPR becomes fully enforceable throughout the European Union on 25 May 2018, but many businesses of all shapes and size are still attempting to come to terms with what the GDPR means for them going forward.
So to clear up some of the confusion, here’s a breakdown of what the GDPR is, how companies are preparing, and what impact the legislation will have on the world of marketing from May onwards.
What is the GDPR?
If you’re a marketer, hopefully, you’ve already heard all about the GDPR and are now well on your way to implementing changes to the way you go about your business on a daily basis. Although the GDPR has only started making headlines in trade publications over the last few years, it’s something that’s been in the pipeline since the European Commission initially proposed for data protection regulation to be updated back in January 2012.
In a nutshell, the GDPR is a legal framework that sets guidelines for how the personal information of citizens within the can be both collected and processed by businesses. Once fully adopted in May, the framework will replace the old Data Protection Directive of 1998; which was written up in a world that was far less data-driven than the one we now live in.
The reform aims to give EU residents more control over, and ownership of, their personal data than ever before - in effect, giving the power back to ‘the people’. The GDPR has also moved to modify what is and isn’t classed as personal data. While the definition of ‘personal data’ was determined by each individual EU member state under the Data Protection Directive, ‘personal data’ under the GDPR will include any piece of information which could be used alone, or alongside other information, to identify a person.
And although many of the principles from the 1998 directive will still apply when the GDPR comes into force in May, there are also a number of key changes which businesses that handle large amounts of clients’ personal data need to be aware of.
Impact of the GDPR on Marketing
Of course, data is everything in marketing and advertising. When it comes to handling a vast amount of clients’ personal data, not many businesses do so more than those in the marketing sector. Up to this point, marketers have been well within their rights to obtain an individual’s personal data by whatever means possible, store that data for as long as they felt necessary, and process that data in whichever way they saw fit. But those days are soon to be a thing of the past.
That’s because, under the GDPR, every individual will have the right to their personal information to be ‘forgotten’ - i.e deleted - by any organisation they wish. And to get hold of someone’s personal data after 25th May, consent must have been clearly given by the individual to the company in question, rather than assumed.
What’s more, for every piece of personal information stored by an organisation, that firm will have to record precisely how the data was gathered, how consent was given, how long the data will be stored for, and how the company plans to process and use that data in the future. Additionally, it will become mandatory for any company who suffers a data breach to issue a breach notification within 72 hours of the breach being discovered - if the breach is a “risk to the rights and freedoms of individuals”.
It’s therefore not hard to see why the marketing industry views these new regulations as being bad news. After all, marketing databases have been grown using clever methods - such as competitions that require personal information to be submitted in order to enter - for many years. And the main reason for the widespread concern amongst marketers when it comes to conforming to the GDPR? The penalties for non-compliance are severe.
After 25th May, any organisation found to be in breach of the regulations set out by the GDPR can be fined an eye-watering €20m or 4% of annual global turnover (whichever is the highest value). However, the penalties handed out for violation of the GDPR are in a five-tiered system; starting with a warning being issued for a minor breach and ending with a multimillion euro (or pound/dollar) fine.
Will Brexit Exonerate UK Businesses From Complying?
Put simply, no. While Britain will be leaving the European Union on 29th March 2019, this won’t provide the ‘get-out-of-jail-free card’ from GDPR-compliance that some UK firms will have been hoping for. All businesses that handle and process the personal data of EU citizens will have to adhere to the GDPR regulations; regardless of where the organisation is based. This means that British companies will receive exactly the same punishments for violating GDPR as any business located in one of the EU’s remaining 27 member states would.
The UK government also intends to establish its own version of GDPR by introducing a new Data Protection Bill - which is likely to mirror many of the regulations in GDPR and write them into UK law. This increased territorial applicability is one of the main differences that firms need to be aware of between the old Data Protection Directive and the new GDPR.
How does the Marketing Industry React?
So as a heavily data-centric sector, how does marketing adapt and continue to operate successfully after May? In short, transparency will be the order of the day for marketers from this point onwards. As a marketer, you now need to make your intentions crystal clear at every stage if you want to avoid landing your company a huge fine for infringing GDPR.
For larger organisations with over 250 employees, the first step is to hire a data-protection officer (DPO) who can help you along the road to full GDPR-compliance. Then, companies should carry out a full review of their current data flow and processes; enabling them to see the areas where new procedures need to be introduced in order to satisfy the GDPR regulations. This review should analyse how the business is currently:
Once the review is complete, the findings can then be compared with the GDPR regulations to highlight where processes must be changed; allowing a project to be organised which focuses on ensuring total compliance with the new legal framework.
What’s more, marketing firms will also have to review their current, historical database and ensure that all personal information stored on there also complies with the new framework. An email should be sent to all active users asking them to update their contact details; with it being made very clear why the company is getting in touch (due to the new regulations). Any current data stored that doesn’t comply with the GDPR - for example if no record exists of consent having been given by the individual - should be deleted.
Could GDPR Prove to be a Positive?
While there’s a lot that businesses in the marketing industry need to do in order to conform to GDPR regulations, there’s a couple of ways that the new framework - which may seem restrictive - could actually help to improve and revolutionise the way in which businesses market to, and connect with, their clients.
For marketers to succeed after May, they’re now going to have to work harder, think smarter, and be more innovative than ever before. Companies will have to provide their customers with even more valuable content in order to gain their attention and earn the right to connect with them. The attention of consumers has been taken for granted up to now, but marketers will be forced to raise their game from May onwards by being cleverer and more thoughtful.
Also, it’s fair to say that at the moment, the majority of us don’t see, or don’t understand, the value in sharing our personal information with companies (and sometimes, we don’t even realise that we’ve done it). But with the greater transparency GDPR will bring, firms will now need to persuade clients that they will receive a real, tangible benefit from allowing their data to be shared. This should lead to an improved understanding of why data sharing can be a positive thing, and marketers will once again have to provide more value than ever.
To summarise, GDPR is something to be taken seriously. Any company that will be affected by the regulations, but hasn’t already been preparing for life after 25th May, should make doing so a priority. Being proactive, organised and transparent will be the key for marketing businesses to thrive in the industry post-GDPR. The sooner you start modifying your data flow processes to comply with the new regulations, the more time your team will have to fully adapt to the requirements of the new framework.
We will be holding a number of GDPR seminars delivered by industry experts which you can access for FREE.
Register here to attend the largest Marketing show in the UK!