May 25th 2018 sees Directive 95/46/EC (the Directive) replaced with the GDPR. This will affect any business within the E.U. or that connects with an E.U. citizen. The impacts of this will be felt globally, in what will be the first major shake up of European data protection laws since 1995, when the Directive was launched. We know that the GDPR will affect the way businesses and individuals obtain, store, use and discard personal data. In short, it regulates the processing of data.
Disclaimer: All information mentioned has been found through our own research. To determine exactly how GDPR may affect you and your business, we recommend that you seek professional legal advice.
A significant part of the GDPR is how they have expanded an individual’s rights even further than before. People can now request for the data you hold on them to be deleted (the right to be “forgotten”) and now also have the right of portability. This is where an individual requests that the data you hold is transferred to another organisation.
But what about Brexit? So the cutoff date for Britain to leave the E.U. is March 29th 2019 and there will be a need to regulate data protection for British citizens. They will no longer be covered by the GDPR. Britain will be using a very similar version of the GDPR called the Data Protection Bill, a replacement for the Data Protection Act of 1998. Although there will be small differences in the policies it is worth ensuring you are compliant with both. You must be compliant by 25th May as there will not be a grace period as there is with some other legislations.
In order to collect, process, use and store data you must have a person’s consent. The automatic opt-ins that have been used such as consent as a condition of sale / service, pre-ticked consent boxes and vague conditions are no longer acceptable.
Collecting and using a person’s data has never been so hard for an organisation. A person has to choose to opt-in and must be given clear information on how their data will be used, how they can withdraw consent for data to be used and the evidence of consent must be stored too (who, when, how and what they are consenting to). When asking someone to sign up for anything that involves collecting or processing their data you’ll need to ensure the following is in place:
Who you market to and how you do it is now regulated. As previously discussed the world of automatic and condition of sales opt-ins are no longer allowed. Instead, individuals have the power to choose whether or not they opt-in. Marketers need consent before they can call, email or direct mail people.
When individuals do opt-in they need to be informed of who will be marketing to them (company or organisation names included!) and whether third parties will be using the personal data too (once again they must be named!). How personal information will be used should be explained and if this changes, at any point, then the individual should be contacted to consent again. The final change for marketers is that individuals must be aware that they have the right to opt-out at any point and this should be described clearly.
If Fix My Car’s marketing company is ASSISTED. Ltd then we would recommend that they are named as part of the opt-in policy. The policy should state that
Fix My Car will use your personal data to contact you by phone, email or direct mail with our latest news, deals and updates. ASSISTED. Ltd will have access to your personal data and may contact you on behalf of Fix My Car. You have the right to opt-out at any time. In order to opt-out you can email [email protected] with your name and email address. If we need to contact you for any other reason than is stated above, then we shall contact you to obtain further consent in accordance to the GDPR.
A final thought for marketers to consider is that blanket consent is no longer a viable option. The use of vague language and “subject to change” use of data is prohibited. If the purpose of how you use a person’s data changes, then you’ll need to get the person’s consent again, no excuses!
It’s probably best that you stick to the GDPR. Failure to comply with the new regulation can result in heavy fines of up to twenty million euros or 4% of your global annual turnover (whichever is higher)! The introduction of the GDPR is set to significantly change marketing and how personal data is processed. It’s better to get any new practices and updates made as soon as possible. Come May 25th 2018 there will be no excuses.
As previously stated the views expressed in this article are the author’s take on GDPR. They are by no means legal advice and should be used for informational purposes only. If you’re unsure as to how your organisation will be affected by GDPR you should seek professional legal advice.