Learn more about 2018’s new data protection regulations and what they mean for marketing companies like ours.

The new General Data Protection Regulation, or GDPR for short, is coming into force on 25th May this year. And it’s going to dramatically change how companies like ours collect and store data.

Ever since the vote was passed by the European Parliament back in April 2016, and our government decided to update the current legislation, there’s been much talk of what these new regulations will actually mean for the marketing industry. So we’ve decided to put together a brief – yet important – guide to what the GDPR is, and how it’s going to affect digital marketing consultants.

What Is The GDPR?

For those of you who are not 100% familiar with GDPR, it is designed to replace the current Data Protection Act of 1998.

This existing legislation is very out of date when it comes to the management of digital information, and the powers that be (quite rightly) thought that it was about time the law was upgraded to demand that online companies protect our online data.

The new GDPR takes technological advancement from the last twenty years into account and has been designed to cater for future developments, too.

Does The GDPR Still Apply In The UK After Brexit?

Yes – absolutely! Though at the time of writing, the UK intends to leave the European Union in 2019, we are currently still a part of the movement, and this means that we will need to all adhere to the regulation once it comes into force.

The Key Considerations – Opting In, Not Opting Out

One of the changes that is going to affect our industry the most is the elimination of the ‘opt-out’ process (this will be all too familiar to all you email marketers out there).

Right now, if a customer doesn’t want to receive your marketing messages – for example, from marketing newsletters, or via text – they can ask to be removed from your company’s records. Or, in layman’s terms, they can opt out. Once GDPR is introduced, however, people will have to opt in if they want to be included in your marketing communications.

Requests for consent must be clear, explicit and specific. The customer should be able to choose whether or not their data can be used for marketing purposes, analytics, profiling, sharing and for distribution to third parties. It’s not simply enough to ask them to opt-in with a blanket statement any more.

Only Collecting Necessary Data

Your communications need to tell the customer exactly why you want their data, and how it will be used. And if the customer wants to withdraw their consent at any given time, you need to provide simple instructions as to how they can do so.

Recording Consent

This is the bit that’s going to pile on the paperwork. Every time a customer expresses their consent, the how and when of their instruction needs to be recorded. You will also need to make a note of the exact wording that was used to ask for their consent.

Confused yet? Well, that’s not all…

Establishing Accountability For Data Management

Any marketer that is storing and using customer data has a responsibility to keep it away from prying eyes. With cyberattacks becoming more prevalent, and the topic of stolen or misused data hotter than ever before, it’s vital that marketing companies take the necessary precautions to keep all of their information safe. This will typically be achieved by using the strongest possible passwords and encryption systems – but unless you have a background in IT, you may need to seek the advice of a specialist to make sure that your data protection methods are compliant with the GDPR.

What Happens If I Don’t Follow The New Rules?

If you still need to get to grips with the GDPR, now is the time to act. With just a handful of months left until it is rolled out across the EU, it’s vital that marketers understand the new rules – and the sobering implications of not following them.

Asking For Consent Checklist

The ICO has put together a handy GDPR consent checklist to help marketers take the necessary steps to ensure they are fully compliant:

☐ We have checked that consent is the most appropriate lawful basis for processing.

☐ We have made the request for consent prominent and separate from our terms and conditions.

☐ We ask people to positively opt in.

☐ We don’t use pre-ticked boxes or any other type of default consent.

☐ We use clear, plain language that is easy to understand.

☐ We specify why we want the data and what we’re going to do with it.

☐ We give individual (‘granular’) options to consent separately to different purposes and types of processing.

☐ We name our organisation and any third party controllers who will be relying on the consent.

☐ We tell individuals they can withdraw their consent.

☐ We ensure that individuals can refuse to consent without detriment.

☐ We avoid making consent a precondition of a service.

☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental consent measures for younger children) in place.

Recording Consent

☐ We keep a record of when and how we got consent from the individual.

☐ We keep a record of exactly what they were told at the time.

Managing Consent

☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.

☐ We have processes in place to refresh consent at appropriate intervals, including any parental consent.

☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.

☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

☐ We act on withdrawals of consent as soon as we can.

☐ We don’t penalise individuals who wish to withdraw consent.

The EU will slap big penalties onto any company that does not comply with the new General Data Protection Regulations as of May 2018. Businesses that do not take the necessary steps to adequately protect and manage their data could be faced with a fine of up to 4% of their global revenue, or 20,000,000 euros – whichever is greater. If the incident isn’t as severe, the fine will be decreased to 2% of revenue or 10,000,000 euros – but we think you’ll agree that that’s enough to leave a hefty hole in a business of any size!