From Scouts group leaders to Coca Cola’s marketing department, everyone who manages a mailing list, sends out digital marketing materials or cold-contacts possible customers will be affected by the new 2018 data protection legislation. The General Data Protection Regulation (GDPR) is designed to regulate how companies use and store the data of EU citizens and applies to businesses in countries outside the EU, too. This means that even after Brexit is finalised, almost every company, whether in Hampshire, Hanover or Hanoi, will have an EU citizen on their books somewhere, as client or staff member, former, current or potential so everyone needs to be aware of it. Here are a few of the ways the GDPR may impact your business.
1. Opt-in is now mandatory
If you want more customers to sign up to your newsletter, the easiest way is to put a pre-ticked box next to the ‘buy now’ button. That’s got to go. The GDPR is defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” [emphasis ours]. While it has yet to be tested in court, it seems evident that an opt-out or a pre-ticked box is unlikely to count as ‘clear affirmative action’ and mandatory or automatic sign-ups are not going to count as ‘freely given’.
2. …Except when consent doesn’t apply
Everyone can think of a ‘what-if’ scenario where data would need to be handled without an individual’s consent. Even if you’re not dealing with prisoners in jail or patients in a coma, there may be reasons why you have the right to gather and process data without consent. You may have, for example, what the EU calls a ‘legitimate interest’. The GDPR even says “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” although it’s not, as yet, clear what the boundaries of this will be. It’s important to note that processing is distinct from gathering, so you may have more freedom once people have handed over their data than when you’re trying to gather it.
3. You’ll need to know how to delete data
Most digital marketing campaigns are managed virtually. Someone creates a newsletter sign up box, individuals sign up, they receive the newsletter, and if they want to unsubscribe they do it through a link in a form. So far so good. With the advent of the GDPR, individuals have more rights to their data, and this includes the right to have data removed. Grounds for demanding data be removed include: withdrawing consent (e.g. ‘I no longer wish to receive your newsletter’); the personal data is no longer necessary (e.g. a transaction is complete, you can’t now use this data for digital marketing).
4. You’ll need to know where your data is is
Individuals will now have the right to know what information companies are holding on them, so you’ll not only need to know how to delete data, you’ll need to know where it is. Many small businesses may struggle with this as it’s common to have data stored in a variety of places as well as under different aliases. For example, if you’re a Hampshire car repair shop, you may have information for ‘Bob Smith’ on paper forms in your office, appointment information in your online calendar, digital marketing information in the cloud under ‘firstname.lastname@example.org’, as well as information provided to appropriate third parties such as the DVLA. Could you find it all if asked?
5. Introducing the right to be forgotten
The right to be forgotten has been making waves online for a few years now, but it’s mainly applied to search engines, not ordinary businesses. With the advent of the GDPR, individuals will have more right to be forgotten, not only by search engines but also by companies and other organizations. In cases where the controller has made the information public (e.g. if you’ve put information on your website), it is the responsibility of the controller to take reasonable steps to ensure that other controllers who may have used this data also remove it.