GDPR: Get on top of data protection reform (and avoid a €20m fine)
Read our guide to data protection reform and find out what steps your business should take to be fully compliant before the new rules comes into force in 2018.
If you’re a business owner or marketer who keeps your ear to the ground, you’ll have heard rumblings about something called GDPR. Perhaps you’ve heard talk of eye-wateringly large fines being issued if your company is not compliant. You may be starting to think, “Er, I really should be doing something about this.”
So we’ve put together a handy guide to GDPR to explain what it is, why it’s important, and the steps your business can take to make sure you stay compliant when the new rules come into force.
We’ll also explain what we’re doing here at Sookio so you can see the practical steps we’re taking ourselves to protect personal data.
OK. So what is GDPR?
The General Data Protection Regulation will require every organisation that offers products or services to EU citizens or handles their data to adhere to a strict set of data privacy and security measures.
Why is GDPR being introduced?
The main aim is to help citizens of the EU take back control (hmmm, that phrase sounds familiar) of their personal data.
As you’ll know if you’ve ever ended up on some dodgy mailing list with no idea how you got there, your personal data is something of value. Privacy is becoming ever more important and we need to be able to protect our digital lives.
For businesses – particularly those operating across borders – GDPR will offer a core set of rules that everyone can work to across the EU.
It will ensure consistency around data protection laws, so it’s easier for businesses to make sure they are doing it right.
But isn’t there already the Data Protection Act?
Technology has developed at an incredible rate, but it’s been nearly 20 years since our data protection laws were last updated.
There were no smartphones, online shopping was in its infancy, and our inboxes weren’t full of email marketing spam. GDPR will bring things into the 21st century.
When does GDPR come into force?
It’s being applied from 25 May 2018.
We are currently in a two-year transition period which began in April 2016, which is why you’re hearing more and more people talking about it now.
What do we mean by data, anyway?
What we’re talking about is any information which can be used to identify someone.
This could be a name, address, date of birth or other factors pointing to their physical, genetic, mental, economic, cultural or social identity. Along with IP addresses, user IDs, GPS data and cookies.
To whom does GDPR apply?
Organisations operating within the EU who process data, and those outside who offer goods or services to individuals in the EU.
But aren’t we leaving the EU? Why do we need to bother?
Woah there! You’re not getting away with it that easily.
The UK Government has confirmed that the Brexit will not affect the start for GDPR or the need for British businesses to comply.
How big are the fines if we don’t comply to GDPR?
Get ready for this. Under Article 83(5), serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue. Whichever is higher.
For less serious infringements we’re talking €10m or 2% of global turnover.
For UK businesses this is significantly higher than the current maximum of £500k. And either way, this is a LOT of money to give away.
So is it only for big business and not SMEs?
It’s for everyone. So, if you handle personal data about your customers – perhaps you buy and sell products online, you’ve developed an app for people to track their diet or fitness, or you’re a charity with a large mailing list – then you’re going to need to sharpen up your approach.
How will GDPR be enforced? How will they know if you’re breaching the law?
Anyone who has suffered damage for unlawful processing of their data will be entitled to receive compensation.
So you could potentially be reported if there’s been a data breach or someone suspects you have not handled their data correctly. You would have to prove this is not the case.
What’s a data breach?
It’s more than just losing personal data, it can be the destruction, loss, alteration, unauthorised disclosure of or access to the data.
A good example is Ashley Madison, the marital affairs website who suffered a cyber attack leading to details of 33 million users being published online – even those who had paid an extra fee so the data would be deleted. The company was fined $1.6m for failing to protect their users’ data.
So what are the key principles of GDPR?
It’s all set out in Article 5. Personal data must be:
processed lawfully, fairly and in a transparent manner in relation to individuals
collected for specified, explicit and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay
kept in a form which permits identification of data subjects for no longer than is necessary
What are individuals’ rights when it comes to their personal data?
To be informed
To have access
To restrict processing
To data portability
Plus rights in relation to automated decision making and profiling.
Who is responsible for all this?
You are. You also have to be able to demonstrate compliance with the principles.
How can you demonstrate you comply?
There are several things you can do. Why not get started well ahead of the deadline?
Put in place technical and organisational measures. These could be:
o staff training
o internal data protection policies
o internal audits of processing activities
o reviews of internal HR policies
Maintain relevant documentation on processing activities
Appoint a data protection officer
Minimise the amount of data you collect
Continually review and improve security features
Explain clearly and concisely to customers how you will be using their data
Get their consent – and keep a record of this!
Give notice if the data will be used by third-party applications
The Information Commissioner’s Office website has lots of useful information on GDPR and the steps you should take. Take a look at our handy list of links to the right.
As time goes on, we also expect to see the rise of tools which take some of the sting out of compliance. We've recently started working with Databoxer, a nifty little widget which does just that.
So what are we doing about GDPR at Sookio?
My first thought was that as a digital marketing agency GDPR wouldn't affect us too much because we never pass on data to third parties and we don’t do any online transactions.
And then I remembered; email marketing! Ah. We manage our own list and those for clients, so this is a big concern. We also keep all our clients’ details in our accounts and CRM system; this is all completely private, but it still means we’re processing and storing data.
Here are the steps we are going to take to make sure we are a GDPR compliant marketing agency and generally on top of security and privacy issues, well ahead of May 2018. You may want to follow some of these yourself….
1. Make sure the team understands what GDPR means and its implications. Especially the bit about the €20m fine. That certainly focuses minds.
2. Document the information we hold. This will be a simple spreadsheet showing the type of data, how it is used, where it came from and who it is shared with. Running a data audit and keeping it up to date means we can prove that we are making every effort to stay compliant.
4. Review our procedures to make sure they cover the rights of individuals. Can we erase personal data if someone requests it, for example? Could we locate the data, and who would be responsible for doing it?
5. Contact everyone on our email marketing database and confirm they give their consent for us to continue emailing them. We will advise clients to do the same, and offer this as an additional service.
There is an obvious downside to this! Be prepared to see the size of your list shrink as people take up the opportunity to be unsubscribed.
However, who wants to be sending out unwanted marketing messages? You might find that even though your list size has gone down, your percentage opening rate goes up because the people on it are more interested in what you’re offering.
As Simon Moss from Communigator explained at the On The Edge marketing conference we attended, "Email isn’t dead… It’s really alive and kicking." Despite the initial panic, he said, GDPR won’t necessarily kill email marketing, as long as we start preparing for it!
Plus, if you use a tool like Mailchimp to do it, you’ll be keeping a clear record of consent, which is as important as asking people in the first place.
6. Keep up high levels of password security to help avoid data breaches.
We currently use a password manager to generate unique passwords and keep them secure, and have already been contacting clients to suggest they do the same.
Avoid the temptation to use the same password across different channels, and get in to the habit of changing them when a member of staff leaves.
7. Revoke access for all apps that are no longer essential. We keep on top of this already and would advise clients to do the same.
So for example you might find that you’ve given all manner of apps access to your company Facebook or Twitter account, but are no longer using them and have no idea what they are doing with your own data.
While you’re at it, check who has admin rights too, and delete anyone who doesn’t need to be there. Give it all a spring clean.
8. Go through the Getting ready for GDPR checklist and for a final check that everything is in order.
How can we help?
If you would like help with any aspect of digital marketing, whether it's improving your email marketing performance or building strong relationships with your customers, just get in touch.