GDPR means big changes for all businesses
Because of the new Data Protection Regulations taking effect in May 2018 it's critical you understand what they will mean for your business. We cannot explain the scope of these changes in a blog post but perhaps we can signpost the way to more information.
What will change?
Much of the existing legislation is retained, in principle, however the overall breadth of the legistation is extended and your responsibilities and potential penalties are broader and more serious:
Data - The new regulations extend the meaning of personally identifiable data to include computer IDs and any other mechanism that could be used to track an individual user. The existing distinction between B2B and B2C users are dropped, all must be treated the same.
Control - Users will have more control over their personal information. It should be easy for them to change, view and remove information. Customers will have the right to port all their data from one company to another and they will also have the right to be forgotten, which requires companies to delete people's personal data when asked to. Currently, some marketeers charge customers to access the information they hold on them, the new law means your customer can access their information free of charge.
Consent - You will be required to always gain consent to put your users into your email marketing list. If you're B2C you are already required to gain consent from your customers. Currently B2B are not required to gain opt ins from businesses. In 2018 this will change and everyone will require a positive opt in. Consent can be verbal, written or online (e.g. tick box) but must be a positive action. You cannot offer them a pre-ticked box or an option to Opt Out etc, you must also obtain specific consent for all channels and usages you intend to use in relation to their data.
All consents you receive will need be recorded adequately as you will be required to provide proof that consent was given. You need to consider date, mechanism and scope for all consent records. Customers will have the right to opt out of any of the consents they give, including being profiled according to their interests and behaviour, unless they have previously consented to it or it is required as part of your terms and conditions.
Inform - You are required to inform users of everything that will happen to their data. As well as this, you must inform your customers if your company or subcontractor suffers a security breach and if your user records have been hacked.
When will I need to start making changes?
It is recommended that you start implementing changes needed to comply with GDPR as early as today. It is entirely likely that your current email marketing lists do not comply with the requirements of GDPR and after May next year you will be breaking the law if you use them. All your lists need to have GDPR compliant consents in place before May 2018.
You cannot use your lists to ask for consent after May 2018 because you will not have consent to use the lists, for any purpose. Even owning and storing the lists will technically be illegal. To get the consent you require you must do so before May 2018 and to the standard required by the GDPR.
A useful guide is available from the Information Commissioner's Office together with more detailed information.
What are 101 doing?
Like every business, 101 is working to review our internal policies and processes to ensure our compliance with the obligations of the GDPR in advance of 25 May 2018.
At this time, we are unable to give any specific details as to the precise steps that we are taking. This is because all of our relevant policies, processes and systems are undergoing review. Further, guidance on the GDPR is still being formulated and reviewed by various bodies (the ICO and the Article 29 working party, for instance). All of this makes it impossible for us or any business to be able to provide specific guidance as to the outcome of our reviews at this stage.
That said, we are undertaking a privacy impact assessment in addition to conducting a full technical review of our services and can reiterate that 101 will be fully GDPR-compliant before the effective date of 25 May 2018. We will continue to comply with all current data protection legislation and we will update all clients as necessary once we have confirmed the steps required to comply with the GDPR.
By Callum Atkinson - 23 Mar 2017