Why do we need a new law?
The last data protection law in the UK was the Data Protection Act 1998. Although the law was suitable for the time, developments in technology and the use of the internet have made this law out of date. Data is used and transferred across the globe in ways that lawmakers in the 1990’s could not have imagined. The use of social media and multiple channels have transformed the way we communicate with each other and share information. As most of the data we use in these communications is personal, and much of it is tracked and recorded, the law to protect people’s privacy needs to be strong and up to date.
What is the purpose of the GDPR?
Against a background of global data transfers and greater threats to privacy, a new law was needed to ensure that the personal data of EU citizens had robust protection. This protection needed to cover all EU citizens, regardless of where in the world the data was being processed. Because the law is a regulation, it also means that all the EU states need to comply with it in a similar manner, meaning all EU citizens have the same privacy rights, regardless of which state they live in. GDPR is due to be enforced from May 2018 – a date for your diary!
What does this new law mean to marketers?
One of the main changes that will affect marketers will be the greater scope of personal data covered in the law. Personal data is broadly defined as any data that can identify an individual, by itself, or in conjunction with any other data you might have now, or are likely to get in the future. This even includes data such as IP addresses or location based information. As marketers, most of the data we process to undertake marketing will be defined as personal data. Because of this, you must make sure you are complying with all of the GDPR principles below:
Lawfulness, fairness and transparency: You must ensure that your use of the data is based on either consent or legitimate interest and that the customer/prospect has all the information they require.
Purpose limitation: You must specify to your customer what your purpose for using their data is.
No further processing for incompatible purposes: You must ensure that data gathered for one purpose, is not used for another purpose.
Data minimisation: You must only gather the data about a customer/prospect that you intend to use and is relevant for the purpose.
Integrity and confidentiality: You must keep the personal data of your customer/prospects safe and secure.
Storage limitation: You must only keep the personal data of your customers/prospects for as long as is necessary for the purpose it was collected for.
Accurate and up to date: You need to ensure that your customer/prospect details are accurate and up to date. If you are using data for profiling and segmentation, up to date data is essential.
Accountability: Your compliance with all of the above principles will need to be documented in detail to demonstrate compliance with GDPR.
The GDPR is considerably stricter when it comes to complying with the requirements of the regulation and much needs to change in many organisations, especially in relation to the accountability principle. The best way to ensure the correct records are being kept is to have a robust data governance structure in place.
What happens if I break the law?
Fines can be up to £17,000,000 for the most serious breaches of the regulation, so this is something that all marketers need to take notice of. Any action from the regulator (even if it is not a fine) will seriously damage an organisation’s reputation with prospects and customers. Regulatory action could even lead to financial loss far beyond that of a regulatory fine, with loss of customers and business. If you haven’t started to prepare for GDPR already, it’s important that you do, as the cost to an organisation for non-compliance could be eye-watering.