The General Data Protection Regulation (GDPR) is new legislation which introduces a wide range of reforms with a significant effect on data collection, processing and storage activities.
It provides individuals with a suite of new rights in relation to their data. A right:
- to be informed;
- of access;
- of rectification;
- of erasure (to be “forgotten”);
- to restrict processing;
- of data portability;
- to object; and
- certain rights related to automated decision making and profiling
Both data controllers and, significantly, data processors have new obligations and potential liabilities under the new regime.
It comes into effect on the 25 May 2018. That might feel like a long way away, but if you want to avoid facing some hefty fines (the higher of up to 20 million euros or 4% of global turnover), then it is best to start preparing now.
How it affects your business
Many of the changes under the GDPR formalise current best practices promoted by the UK’s Information Commissioner’s Office (ICO).
The GDPR promotes accountability and governance which complement the GDPR’s transparency requirements but has elevated their significance.
So you will be expected to put in place comprehensive but proportionate governance measures such as privacy impact assessments. The concepts of privacy by design is now legally required in certain circumstances.
Of course, in practice, this is likely to mean more policies and procedures for organisations who have not previously had good governance measures in place.
Conditions of lawful processing
One of the GDPR’s most dramatic impacts will affect companies wishing to process data for marketing purposes. The new changes significantly update the concept of “consent” as a condition of lawful processing.
Consent must be “freely given, specific, informed, and unambiguous” and in the case of an automated decision, “explicit” consent is required. So it will impact how you go about collecting each customer’s consent for the storage and usage of their data, and will affect everything from how you create word copy to how you design UX (user experience) elements of data collection portals, pathways, landing pages, and forms.
Where companies previously used a simple tick-box approach to request consent from customers for all processing purposes, you will now be required to provide an explanation of why you need the data, what it will be used for, and by whom and if relying on the consent principle to process such data you’ll need the customer’s unambiguous consent to do so.
Automatic opt-in boxes are out and so are conditional permissions buried in your terms and conditions. The GDPR is all about transparency and accountability and any reliance on consent must meet this strict principle. Customers will be required to manually check an opt-in box to show unambiguous consent has been given.
Where data processing will be different (for instance with email addresses as opposed to dates of birth), explanations should be made granular, so that customers have a clear idea of the ways in which the different bits of the data they supply will be used.
And if you’re going to be sharing the data with any third parties, these will need to be clearly named (‘other hospitality venues’ will not be acceptable – you will have to actually name the venue that the data will be shared with).
Finally, you will also have to ensure that you document all the records of consent that you have, as well as making it easy for customers to withdraw their consent in line with the customers’ new rights set out above (essentially to be “forgotten”). These functions will most likely be facilitated by your CRM provider, but you need to start planning in the tools now.
Legitimate Interest Condition
You can still rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.
Marketing activities are still considered legitimate interests by the ICO and under the GDPR but you must justify your activity and consider the privacy risk for the customer. This means ensuring the customer understands the reasons for processing and that the customer would reasonably expect such use based on a balanced assessment.
It is generally accepted a company has a legitimate interest in using basic customer details to promote its products so provided the customer has not indicated they do not wish to receive marketing materials and the company provides a clear means to opt-out then such assessment would be positive.
B2B and B2C marketing
We have to draw a distinction between B2C and B2B marketing activity. For the purposes of this blog we are concentrating on the impact on B2C marketers as there are significantly fewer regulatory requirements which affect B2B marketers than those affecting B2C marketers.
The existing Privacy and Electronic Communications Regulations (PECR) focuses on protections for consumers in the B2C sphere and, generally, marketing to corporate employees via electronic channels does not require consent under PECR. However, there is the new ePrivacy Regulation coming into force in the next year or so which could potentially require an opt-in consent for B2B marketing as it is currently worded.
What about my existing data?
As advised by the ICO: “You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR, but if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented, and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
It is recommended you carry out a data protection impact assessment audit or privacy impact assessment (they are both essentially the same thing) and review each aspect of your data collection and processing procedures. This will enable you to identify and fix problems at a relatively early stage, reduce the risk of associated ongoing costs, future-proof the integrity and lawfulness of one your most valuable assets – your customer data, and reduce the likely risk of damage to your reputation.
Do what Flybe, Honda and MoneySupermarket.com did which is to use GDPR as a reason to email their customers (including opt-out customers) to try and update their records under GDPR. Their activity contravened the current Privacy and Electronic Communication Regulations (PECR), and those companies were both levied heavy fines from the ICO for their conduct.
GDPR – It’s not all bad
These changes might seem to put more restrictions on how you can go about collecting and recording your customers’ information but there are upsides to the new regulations too. Customers are more likely to give correct, up-to-date information about themselves if they feel like they can trust that their data is going to be stored correctly and is not going to be misused.
This also means that databases will increase in quality: inaccurate and outdated data will be replaced by newer and more accurate data. Customer databases will, therefore, be able to provide better insight into their customers as data analyses will return more accurate information that can be used to inform top-level strategy and management decisions.
So what can you do to start preparing? Well, the ICO has a load of free advice and guidance available at www.ico.org.uk and the Direct Marketing Association has provided a handy series of guides and webinars (as well as a fancy clock ticking down to when the laws come into force) so that you can start preparing now.
A fair bit of the new legislation is still open to interpretation and guidance from the ICO continues to be updated. There will no doubt be quite a few interesting test cases in the months and years to come to help clarify some of the issues!
The details provided in this blog are for information purposes only and should not be relied on as legal advice for the purposes of your business. You are recommended to seek independent legal advice with regard to any of the above before acting upon the same. Excello Law excludes any liability as a consequence of any reliance on this blog.
NB: Originally prepared as part of a series for clients of digital customer experience specialist Airship Services: www.airship.co.uk
Please contact Peter Rawlinson on 07899 906476 or [email protected] if you’d like more information or advice in connection with the new regulations or any other commercial law matter.