GDPR: Far-reaching implications of new data regulation

Data Protection graphic

The last major overhaul of data regulations was 20 years ago, before Google, Facebook, Apple and other technology companies collected and processed the personal data from millions of people.

In the UK we relied on the Data Protection Act 1998. However, with inconsistencies on data protection across member states of the EU, leaders from the European Parliament, Council and Union have come together and developed a new standard for the collection, storage and processing of personal data.

The new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a comprehensive new EU data protection law that comes into force on 25th May 2018 and will effectively replace the Data Protection Act of 1998.

The Regulation has far-reaching implications for all UK businesses – large and small – and is designed to standardise data protection rules across EU countries. It is already enshrined in UK law, so will come into effect regardless of Brexit.

The GDPR specifically relates to the processing of personal data with greater emphasis on the ‘fundamental rights and freedoms’ of individuals (known as ‘data subjects’). This includes how organisations collect, store, transfer or use personal data and includes, for example, employee records, customer information or prospects/sales leads.

Although the GDPR relates to personal data and not companies, any data that can identify a ‘natural person’ will fall under the new regulations. This includes an individual’s name or email address even if they work for a limited company or LLP.

Complying with GDPR

GDPR Checklist Graphic
There is considerable scare-mongering surrounding the GDPR particularly as the ICO (Information Commissioners Office) has new powers to fine up to €20m or 4% of global turnover for non-compliance.

However, while it is true that compliance will be more onerous with new standards of governance and accountability, most well-run companies will be able to comply by taking appropriate measures. This includes reviewing security protocols, having clearly defined policies and conducting regular assessments.

In particular organisations should:

  • Clearly document the personal data they hold, how and when it was sourced, how it will be used, how it is updated and who will have access to it
  • Demonstrate the lawful basis for processing personal data
  • Have freely available privacy policies that are fair and easy to understand and explain what personal data is held, how it was sourced, for what purpose and the legal basis for processing data
  • Recognise the rights of individuals to know what personal data is held and why, and respect their demand to correct, restrict or remove their data
  • Have procedures in place to detect and report on a data breach, such as a computer hack, theft of data by an employee or other breach
  • Assign someone to take overall responsibility for data protection and compliance

GDPR and Marketing

There is wide-spread confusion about marketing under the GDPR with some pundits suggesting the new regulation could have dire consequences for marketers because of tighter opt-in ‘consent’.

The GDPR is explicit on the use of consent – it must be freely given, specific, informed and unambiguous. Companies will no longer be able to use pre-ticked boxes to gain consent, or use confusing or misleading methods.

However, consent is not the only way to comply with the GDPR. There are six legal grounds for processing data and for many companies, particularly business-to-business, legitimate interest will be the legal basis for direct marketing purposes in accordance with Article 6(1)(f) of the Regulation. Indeed Recital 47 of the GDPR states clearly; “The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest”.

Organisations will need to take all the steps necessary to comply with the new GDPR whether or not they use data for marketing purposes – the rules relate to the processing of personal data and the rights of the individual whether this is a customer, prospect, supplier, a membership or circulation list, employee or any other data subject.

Managing your marketing data list

GDPR graphic
To comply with the GDPR it is essential that your customer and prospect lists are accurate and kept up to date. You will need to document how you acquired the data, how you use it and how you keep it up to date.

With customer data this can be straightforward, but for companies targeting new customers, especially in trade and commercial sectors, collecting and managing your own marketing data lists is likely to fall short of the new Regulation and could leave your business exposed to serious fines.

Insight Data can help ensure you comply with the new General Data Protection Regulation and get the most from your B2B marketing and customer acquisition.