Data Protection Changes (GDPR)
Current Data Protection legislation is set for substantial change in May 2018 and it will impact all businesses, large and small.
GDPR means big changes for all businesses
Due to the new Data Protection Regulations taking effect in May 2018 it's critical you understand what they will mean for your business. We cannot explain the scope of these changes in a blog post but perhaps we can signpost the way to more information.
What will change?
Much of the existing legislation is retained, in principle, however the overall breadth of the legistation is extended and your responsibilities and potential penalties are broader and more serious:
Data - The new regulations extend the meaning of personally identifiable data to include computer IDs and any other mechanism that could be used to track an individual user. The existing distinction between B2B and B2C users are dropped, all must be treated the same.
Control - Individuals will have more control over their personal information. It should be easy for them to change, view and remove information. Customers will have the right to port all their data from one company to another and they will also have the right to be forgotten, which requires companies to delete people's personal data when asked to. Currently, some marketeers charge customers to access the information they hold on them, the new law means your customer can access their information free of charge.
Consent - Depending on your basis for processing you may be required to gain consent to put your users into your email marketing list. If you're B2C you are already required to gain consent from your customers. Currently B2B are not required to gain opt ins from businesses. In 2018 this will change and everyone will require a positive opt in. Consent can be verbal, written or online (e.g. tick box) but must be a positive action. You cannot offer them a pre-ticked box or an option to Opt Out etc, you must also obtain specific consent for all channels and usages you intend to use in relation to their data.
All consents you receive will need be recorded adequately as you will be required to provide proof that consent was given. You need to consider date, mechanism and scope for all consent records. Customers will have the right to opt out of any of the consents they give, including being profiled according to their interests and behaviour, unless they have previously consented to it or it is required as part of your terms and conditions.
Inform - You are required to inform users of everything that will happen to their data. As well as this, you must inform your customers if your company or subcontractor suffers a security breach and if your user records have been hacked.
When will I need to start making changes?
It is recommended that you start implementing changes needed to comply with GDPR as early as today. It is entirely likely that your current email marketing lists do not comply with the requirements of GDPR and after May next year you will be breaking the law if you use them. All your lists need to have GDPR compliant consents in place before May 2018.
You cannot use your lists to ask for consent after May 2018 because you will not have consent to use the lists, for any purpose. Even owning and storing the lists will technically be illegal. To get the consent you require you must do so before May 2018 and to the standard required by the GDPR.
A useful guide is available from the Information Commissioner's Office together with more detailed information.