You will no doubt have heard the term ‘GDPR’ quite a few times by now. There has been a lot of coverage in the media and there are lots of companies advising that we all jump on the GDPR panic-wagon.
Do you need to panic? Simple answer: no.
Do you need to take action now? Definitely.
Let’s start with the essentials. GDPR stands for General Data Protection Regulation. It represents the European Union’s revised and updated approach to data protection, replacing the 1995 EU Data Protection Directive (or 95/46/EC, to give it its full title).
Why does this longstanding regulation need updating? Data has moved on a lot with the advent of the Big Data age. This has led to an explosion in the amount of personal information that’s collected and stored, and many new ways in which this data is used. This, coupled with some pretty big-name data security failures, including the likes of Sony and Amazon, has led to an air of distrust among many. Action was needed to bring data laws into the modern era and to allay growing fears.
Less than a year to comply
GDPR comes into effect on 25 May 2018. Come that day, every organisation will need to comply with the GDPR new regulations. By ‘every organisation’, we mean ones in Europe, right? Well, no – we mean every organisation that handles EU citizens’ data. Every entity in the world that processes personal data relating to any living person in Europe will need to comply with GDPR. If you’re an ambitious software start-up in Silicon Valley that’s going global – you’ll need to comply. If you’re an electronics firm in Singapore with a website that allows EU residents data to be collected and used – you’ll need to comply. Even though the UK is in the process of leaving the EU, if you’re a UK firm with customers and prospects in the EU – you’ll need to comply.
In essence GDPR revolves around 6 principles:
- Legality – Lawfulness, fairness and transparency
- Purpose Limitation – Collected for specified, explicit and legitimate purposes
- Data Minimisation – Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy – Accurate data with the right to correction without delay
- Storage Limitation – Data to be stored for a limited length of time
- Security – Integrity and confidentiality
To make sure all companies take the rules seriously there are some pretty hefty fines involved. Fines could amount to 4% of global turnover (or €20m, whichever is higher) for companies that get it wrong. For companies working for those companies (aka processors, like advertising agencies) getting it wrong could cost you 2% of your global turnover. GDPR dictates that companies must not just comply but be able to demonstrate compliance – this means your company will need to change its processes and be able to demonstrate not only consent to process personal data, but also that steps have been taken in many other areas to show that GDPR rights and principles are upheld.
The B2B Perspective
In the UK and some other European countries, the previous data protection laws had little impact – for example B2B organisations were largely seen as excluded. A concession called ‘Soft opt-in’ generally meant you could email business people until they asked you to stop. But no more: GDPR does not recognise a difference between businesses and consumers. A person is a person, at home or at work; to market to them you’ll need their permission or to prove a legitimate interest (look out for our upcoming blogs for more on this).
The implications of GDPR need to be understood at the highest level. For example, individuals will have the right to opt out of marketing profiling. If, like Amazon, you cleverly compare buyer behaviour to suggest other products to your customers, you’ll need to set up systems to allow customers to opt out. Some pretty complicated re-coding will be required.
GDPR is big, this is true, but there is a silver lining for astute companies. In the future, those that can demonstrate good data governance will benefit from increased trust, improved data sharing and ultimately better revenues. Get it right, get it right quickly, and you could leave your competitors scratching their heads in a cloud of data dust.
Look out for our upcoming blogs on what GDPR means to your marketing department or get in touch now if you don’t want to wait.