Frequently asked questions in relation to the GDPR
On the 25 May 2018, the most comprehensive reform to data security and privacy in the last 20 years will come into effect: the General Data Protection Regulation (GDPR). Designed to harmonise data security and privacy laws across the European Union, the GDPR will transform data acquisition, processing and management as we know it.
Despite there being less than a year until the GDPR, many businesses are unprepared or unsure of what the GDPR actually means for their business’ marketing activity. American research and technology advisory firm Gartner predicts that, by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements.
The recommendation from many institutional bodies, experts and advisory firms is to act now. But while there is a plethora of information out there on the GDPR, little has been said on what it means for a business’ marketing activity – and how best to prepare.
Therefore, we have compiled a list of the most frequently asked questions in regards to the GDPR and provided a series of answers.
"The GDPR obviously covers email and email communications - does it also include telephone communication?
What if I buy a list of phone numbers and call each person?"
Before you even start contacting people on a list you have purchased from a third-party, ask yourself this:
“Did the data provider obtain that information consensually – and did the individuals on that list consent to being contacted by parties other than the data provider itself?”
If the answer to both questions – or either of them – is “no”, then you will be breaking the law under the GDPR. Consent must be acquired for each individual action: the data provider must have obtained that information consensually – and the data subjects must have consented to their data being used by parties other than the data provider.
Also, if you record calls it falls under the Data Protection Act (DPA) of 1998 and is classified as a form of data processing. The DPA states that individuals must be informed of how and why their data is being processed – which, in this instance, mean telling the individuals what the call is for or going to be used for. You know when you call into Vodafone, for example, and hear “this call is being recorded for training purposes?” – that’s the DPA working away. The GDPR extends these requirements, asking that businesses demonstrate that the purpose of call recording fulfils any of these six conditions:
- The people involved in the call have given their consent to be recorded
- Recording is necessary for the fulfilment of a contract
- Recording is necessary for the fulfilment of a legal requirement
- Recording is necessary to protect the interests of one or more participants
- Recording is in the public interest or necessary for the exercise of official authority
- Recording is in the legitimate interests of the recorder – unless those interests are overridden by the interests of the participants in the call
In order for calls to be recorded, businesses will need to justify the call recording under one of the six categories highlighted above.
"Are these rules or guidelines? What is the difference?"
To be clear, the GDPR is law – and not advisory.
Businesses that process personal data of European Union (EU) citizens, regardless of whether they operate in or outside the EU, must comply with the GDPR. Failure to adhere to the GDPR can result in fines of up to 20 million Euros or 4% of the group’s worldwide turnover (whichever is greater).
Less serious violations such as improper records or failing to notify the relevant authority of a breach can result in fines of 2% of the group’s annual worldwide turnover, or 10 million Euros.
"Who will actually issue the fines? Who would you contact to complain about a company? Who will contact you if there has been a breach (i.e. is it a European body)?"
The supervisory authority in each EU country will issue fines in the event of a data breach. Also, complaints regarding businesses should also be lodged with the relevant supervisory authority.
In the UK, this is the Information Commissioner’s Office, headquartered in Wilmslow, Cheshire and also has offices in Scotland, Wales and Northern Ireland.
"I’m in the UK and Brexit is coming - why should I bother or worry about it?"
The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
According to the gov.uk website: “The GDPR will have a direct effect on UK law from 25 May 2018. There are derogations (flexibilities) within the GDPR where the UK can exercise discretion over how certain provisions will apply.” Once the UK has left the European Union, however, the legislature will be able to make changes to the GDPR framework as it sees fit.
This means – despite Brexit – the GDPR will apply. Regardless of Brexit, if your business markets to European citizens or operates within the EU, the GDPR will apply! After the initial exit period, the UK will develop further legislation that will largely follow the GDPR, as it provides a clear baseline for UK businesses to continue to market to EU citizens and those in the EU.
"The regulation talks about ‘data controllers’ and ‘processors’, what are they?"
In their simplest forms, data controllers are those that determine how data is used and processed. Data processors process data on behalf of a controller.
Here are some examples of data controllers: government bodies, voluntary organisations, hospitals, or even your Internet Service Provider (ISP).
Here are some examples of data processors: accountants, market research companies, surveyors – anyone who processes data on behalf of someone else (an individual or company).
For example, we – as a marketing consultancy – would be a data controller and data processor. We collect personal information from website visitors and website visitors who fill in forms and control that data, as we decide on what to keep and to use in our digital marketing efforts.
We process that data as well. Holding it, organising it, analysing it, adapting it, retrieving it, erasing, combining and much more. It could be as simple as obtaining a new lead via your website and adding that lead’s information into your CRM or editing contact records.
"Who is responsible for the data within marketing agencies?"
Simply put, everyone!
Having a clear view of your business’ data across the department is key to ensuring you meet the requirements of the GDPR. Good data governance needs to be driven from the top down (I’m looking at you, C-Suite) and on that basis, starts with the seniors in the business driving it forward.
That said, the GDPR does require that certain businesses, organisations and institutions appoint a DPO (Data Protection Officer) to oversee the business’ data management.
Under the GDPR you must appoint a data protection officer if you:Are a public authority (except for courts acting in their judicial capacity);
- - Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
- - Carry out large-scale processing of special categories of data or data relating to criminal convictions and offices
You may appoint a single data protection officer to act on behalf of a group of companies or public authorities. Any organisation can appoint a DPO, regardless of whether the GDPR requires you to do so.
"What happens if I lose a laptop/company mobile phone/USB that has sensitive data on it – who do I report it to?"
Firstly, you only need to notify the relevant supervisory authority of a breach where it is likely to risk the rights and freedoms of individuals, such as their human rights and freedom of expression, for example. Supervisory authorities differ from country to country, but in the UK, it’s the ICO – the Information Commissioner’s Office – based in Wilmslow, Cheshire, but with offices in Scotland, Wales and Northern Ireland.
For example, if the breach will have a detrimental effect on individuals, resulting in (and the ICO states) discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
For example, if a breach of customer details leaves customers open to identity theft, that must be reported.
Individuals must be notified immediately if it’s a high-risk breach, as well as the relevant supervisory authority. For those in the UK, this means telling the individual and informing the ICO.
"Will data providers now go out of business? Surely they can sell GDPR-compliant data lists?"
Perhaps, but more likely they will have to work harder and therefore costs will increase. Data providers will need to reassess the way in which they build their lists. They will need to obtain consent from each individual on the list so they can compile that information – and they will also need to obtain separate consent from them so they can sell that list to third parties. It’s a lot of work, but it can be done.
"Is double opt-in a guidance or a law? Does GDPR include ‘double opt-in’? I.e. A website visitor said “OK” passively, but do I need to confirm their consent? Surely single consent is enough?"
Double opt-in is a guidance, not a law.
In order to comply with GDPR regulations, you have to be able to prove that the individuals that you are contacting have provided affirmative consent for you to do so.
In order to prove affirmative consent, you must be able to show that they have completed an action to say: 'yes, I'm happy with this'. You can no longer have pre-ticked boxes or assume consent based on an individual's inactivity. Also, you must provide opportunities for the individual to opt-out of any communication if they so wish.
Double opt-in, however, is something that requires the individual to provide their consent twice and thus improve your record of consent, but it is not a legal requirement. Double opt-in is simply best practice as it provides no room for error when it comes to being able to prove consent further down the line.
If you are only gaining one stage of affirmative consent, make sure that you are also providing opportunities at every touchpoint for the contact to opt out of communications.
"What about my contact database? Can I still email these people?"
The GDPR states that you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. So, make sure you update your consent mechanisms if needs be!
We hope you have found this GDPR FAQ document to be useful and would be very happy if you were to share it with others through social media. Of course, this is a living document and it will be routinely updated up until the commencement of the GDPR to ensure absolute accuracy.
If you are a HubSpot user and struggling to develop a plan in regard to GDPR, why not check out our free eBook?