How will GDPR affect businesses?
There have been a lot of scare stories out there about the incoming General Data Protection Regulation (GDPR) and the threat of huge business-crippling fines, leading to many panicked marketers and business owners. However, this step-by-step guide will help remove the confusion and sense of horror from the situation. In fact, brands should see it as a positive new dawn of valuable communication with customers.
What is GDPR?
GDPR means General Data Protection Regulation and will come into force in May 2018. GDPR is an EU-wide regulation that applies to everyone in EU member states. No matter what happens regarding Brexit, it’ll be part of EU law. Brexit is a slow-moving lava flow of legal change and so GDPR comes into effect way before the UK’s separation from the EU starts, so take it as read that GDPR affects you.
GDPR covers all personal data held about a living individual. If you manage Mail Chimp newsletters for either your own business or a client, this affects you. If you organise competitions or use cloud storage – you’re affected. There are three parties in the process:
Data Subject – the individual whose data has been collected
Data Controller – an individual or organisation that holds a collection of emails
Data Processor – An individual or organisation which processes personal data on behalf of the controller. If say, you outsource the data for direct marketing, you become the data processor. Cloud storage providers are also counted as processors and so even if it’s not your data, it still affects you. That also includes sub-contractors and you need to be sure everyone in the data chain is fully compliant.
One of the big changes to the law is the new responsibility that lies with the Data Processor. It’s a way to crack down on spam. If you’re a PR professional or marketer who sends information out on behalf of an organisation – you’re the data processor. If you sub-contract the information out to another company, then you’re the lead processor and you are required to have the same contractual obligations as with the controller. You’re liable for the actions or inactions of any sub-processor (sub-contractor).
That also means that even if the data processor, such as a marketing company, is outside the EU, if it deals with EU citizen data, then it affects them. Data processors need to be able to demonstrate the correct processing activities to the Information Commissioner’s Office (ICO).
How to prepare for GDPR
In order to cover yourself under the new regulation, you need to ensure the sign-up process for customers is lawful, fair and transparent.
You must state upfront the specific purpose of using the information. The use of the data must be relevant to that offered during sign-up and the data must be secure.
The individual (data subject) has the right to ask at any time what data you store on them and how you use it.
GDPR extends the scope to online identities too, so in addition to email addresses, social media handles are included as personal data.
The following questions should be considered when writing a privacy notice for customers:
– What information is being collected?
– Who is collecting it?
– How is it collected?
– Why is it being collected?
– How will it be used?
– Who will it be shared with?
– What will be the effect of this on the individuals concerned?
– Is the intended use likely to cause individuals to object or complain?
Sign-up to our newsletter?
In terms of consent, there must be a clear message with a positive opt-in. This is a BIG change and means it’s not enough to have a box already ticked with a sign-up option or to ask customers to tick the box to sign-out of subscriptions. Right from the very beginning, consent must be given positively and without detriment – take note PRs and marketer who manage competitions or newspapers which sell-on competition entry data to third parties. Better stop that now.
Mail Chimp is a popular way of sending out newsletters to customers. By using the positive opt-in function, MailChimp automatically records the process and so it’s documented.
Scrap that and start again
Mark Gracey of the Digital Compliance Hub says that many brands may need to rebuild from scratch valuable email databases that have taken them over a decade to create.
Alternatively, every single person already signed up to a newsletter or email should be emailed ahead of May 2018 and asked if they want to continue to receive information.
Full marks to Redbull who did this back in the middle of 2017. They emailed their Bulletin subscribers and said that they’d need to opt-in to continue receiving a revamped newsletter. No mention of GDPR, just the promise of targeted, entertaining content and stories if you opted-in.
Alternatively, in the summer, the pub chain Wetherspoons decided it best to delete their entire email database of 700,000 people and rely on social media instead. It was a watershed moment for the brand; they decided to make the decision for their customers. As content marketing specialist Mark Masters says: “People will be more willing to opt into your message when they see something they can relate to and not become coerced into something they never really wanted in the first place.”
While GDPR is seen as a black cloud on the horizon for some, Gracey and Masters agree says it can be seen as a marketing opportunity. It’s the end of the spam era and a chance to ensure your marketing is something that people want to receive. It’s not about numbers anymore. It’s about genuine relationships with your customers and providing value.
The small print just got larger
Companies can no longer hide underhand procedures in the Privacy Policy and Terms and Conditions (take note, Fabletics). It’s not enough to expect the customer to read multiple pages of tiny print online. Everything needs to be explicit and clear. There are some nice examples of best practice here.
It must also be easy for people to complain or withdraw from the process, without detriment. Every individual has the right to erasure – and with that, you have to remove all their data.
Protecting Children
Children obviously need to be well-protected too and so many apps and websites have child-friendly (or not so child-friendly) messaging capabilities. Children need to understand the sign-up process and a guardian needs to provide consent. Age verification us a big problem online. The minimum age for Instagram, Facebook, Snapcat and Twitter is 13, but a large percentage of their users are underage. Mark Gracey runs workshops on GDPR , privacy and online consent, predicts we will be seeing interesting processes for age verification in the future.
For your records
Another big change is the record keeping. You need to be able to provide evidence of how you collected data and what you’re using it for. You need to show how people offered their consent.
Any information you already hold is called legacy data – and you need to check that it is already compliant. That’s a biggie. You’ll need to evidence that you’ve sought and received consent for those already on your database, prior to May 2018 and that you’ve done this through a positive opt-in.
Part of your policies portfolio should include a Data Protection Impact Assessment; acknowledging all the steps you take to remain compliant. GDPR also stipulates that there should be a Data Protection Officer within the organisation. Before May 2018 Data Protection Officers used to be a token gesture and put to the side. Now they need the ear of the board, to be taken seriously and allowed to do their job.
Employee training also needs to be ongoing, ensuring all new staff know how to be compliant.
Hacks and Breaches
Any data breaches need to be immediately reported to the regulatory body (poor form, Uber). Data subjects need to be notified of the breach so they can mitigate risks (i.e. we can then change our passwords, notify credit card companies and banks).
Fines can be anything up to 4% of global turnover, or up to £20million. That’s far higher than fines are now. End result? Businesses need to ensure they are acting responsibly and document the processes they are taking.
What GDPR means for marketing and PR
Lots of my fellow PR colleagues have been asking about what this means for users of media databases and emailing journalists and bloggers. How can we ensure we’re GDPR compliant?
Emailing people in a B2B capacity, such as a PR sending a journalist or blogger relevant information is absolutely fine.
However, as with many of the situations above, PRs need to constantly think about what value they are providing. Are you “spamming” the journalist with your lack of research into the publication they write for and the type of articles they create? Or are you sending personalised, targeted material that’s going to be helpful to them?
Many PR’s have Excel spreadsheets or online platforms for managing their contacts. You should encrypt these with passwords, as you should whatever computer or device you work from. If you leave your phone on the bus or train, do you have adequate security so no-one else can access your emails and data? Do you use two-factor authentication for your apps and social media?
If you run your own PR business it’s worth spending the time in writing up the steps you take into a document, so that you have the policy to hand in case you’re asked for it in the future.
Free GDPR Resources
The ICO website has a list of resources, such as checklists for data controllers and processors.
To sum up…
The GDPR says that the information you provide to people about how you process their personal data must be:
– concise, transparent, intelligible and easily accessible;
– written in clear and plain language, particularly if addressed to a child; and
– free of charge.
So that’s an outline of the basic framework and the changes you can make now. I hope you’ve found useful. It’s a guideline only and not legal advice and so to fully understand the law and to cover your business fully you should consult your own legal advisers for legal advice specific to your own circumstances. Jo O’Connell and JellyRock PR accept no liability of any sort arising from the use of this article. We recommend you have a look at the Digital Compliance Hub, which offers GDPR audits and training, as well as the ICO itself.