GDPR is now less than a month away, so we thought it would be useful to answer some of the questions we get asked lots by those unsure how to tackle the game changing data legislation. Below are Adlantic’s top seven GDPR Frequently Asked Questions. Read more
There isn’t a one size fits all when it comes to GDPR, every company is different. But it is important to remember that May 25th is a starting point, not a deadline. What matters most is how you adapt to not only survive (i.e. avoid fines) but thrive (achieve competitive advantage) in the new environment defined by GDPR.
Between now and then it is crucial for companies – and their marketing teams – to change the way ‘personal data’ is obtained, stored and secured to ensure compliance. GDPR, of course, extends well beyond marketing, but we will focus on the impact on marketing activities as this is where your agency should be able to give advice.
As every company has a slightly different situation, we thought it would be worth listing the questions you should be asking your agency.
1. Is there an easy way to ensure GDPR compliance?
Some very small organisations probably will be able to achieve compliance without much effort, but large organisations will need to spend a considerable amount of time. A recent survey by SmallBusiness.co.uk found that 1 in four companies with over 5000 employees expect the cost of GDPR to exceed £1M and UK SME has spent over 80 days (600 hours) preparing for the legislation over the past year.
2. What are the GDPR rules for how long I can keep data? Does GDPR require opt-in marketing communications?
GDPR doesn’t work by defining timescales, and therefore it’s impossible to provide a straightforward list of requirements that you need to meet. GDPR requires organisations to look at the personal data they hold and determine the right way to handle it. Although there are best practices emerging, organisations need to make decisions for themselves.
GDPR doesn’t require opt-in for marketing communications, despite what you might have heard. You can claim that direct marketing is a “legitimate interest” for your organisation, allowing you to use an opt-out policy, but you must make sure that the justification is documented clearly.
3. Does GDPR mean I have to stop email marketing, unless a contact explicitly opts-in?
This is a common misconception. Companies can claim that direct marketing is a ‘legitimate interest’ to their business therefore justified without explicit consent. However, citizens do have the right to opt out, you must balance the right to privacy of the data subject with your legitimate interest of direct marketing to decide whether claiming the legitimate interest is reasonable.
4. How do I show I’m compliant?
The regulations are pretty straightforward about this. To show compliance, you must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default.
5. Can my agency sort out compliance for me?
Unfortunately, not. Agencies don’t have enough visibility into client activities and so would be unable to accurately represent the company.
It’s hard for a marketing agency to know everything that needs to be done, or for a client to give access to all the systems that contain personal data – which includes any folder containing files with contact details.
They can, however, review the marketing automation system to see whether there is clear documentation about the source and consent of a contact.
Some aspects of GDPR involve weighing the data subjects’ rights against a legitimate interest. Although agencies can give opinions on how to balance these rights, so clients are fully informed, in the end it’s a decision they must make based on advice from their legal counsel, and one that should never be outsourced to a marketing agency.
It’s not all doom and gloom…
Although GDPR does place some arduous demands on marketing & information technology, it is possible to comply and continue proactive practices and efficient database marketing automation activities that drive revenue for your company.
Although your marketing agency can’t do it for you there are many different points in the process at which they can help. There’s still time to meet the deadline if you’re able to call in knowledgeable help and support.
In the UK, the Data Protection Act 1998 sets out how organisations must handle data and that includes a number of ways in which a company can be penalised.
The new legislation, the General Data Protection Regulation (GDPR) that comes into effect on the 25th of May introduces tougher penalties.
Let’s look at some of the fines issued this year under the DPA and the change to enforcement penalties under the new GDPR. Read more
Data scandals seem to be coming thick and fast these days. Every week it feels like a different company is hacked or wrapped up in some form of scandal involving the personal information of their customers. Let’s look at how and why it might be happening. Read more
- You’ve read 12 steps to take now from the ICO in preparation for the GDPR. ✔
- You’ve read our Start Preparing For GDPR Today blog. ✔
- You’re aware that the law is changing, and GDPR will apply from May 25th 2018. ✔
- You acknowledge it will have an impact on how you manage the information you have on customers, marketing recipients, suppliers and employees. ✔
It sounds like you’re on the right track when it comes to GDPR. Now, it’s time to move on to step 2 – documenting the information you hold, where it came from and who it’s shared with. Hang on a second. This audit is much bigger than you first thought.
Do you have customer data sitting in different websites, billing systems, customer relationship management and email management systems?
Does your business hold sensitive information kept on paper in files such as health information (e.g. think children’s nurseries, nursing homes for the elderly)?
An audit of all the information you have in your business is required but you don’t have the time or skills to organise it yourself. You’re on step 2 out of 12 and you’re facing up to the fact you need help from a GDPR expert to get it all done.
If the above scenario sounds familiar, you are not alone. Although many of the principles in GDPR are similar to the current Data Protection Act (DPA) there are now extra requirements. GDPR puts an emphasis on accountability and that means documenting the data you have, how you share it and how you protect an individual’s privacy.
Who who can help with GDPR?
If you are seeking a qualified expert to help prioritise data and complete the vital steps towards compliance with GDPR read our three tips on choosing your GDPR consultant.
1. Do they have a legal or data protection background?
A person with a legal background or first hand experience of data production legislation including the current Data Protection Act 1998 is a must.
2. Are they providing software or GDPR expertise?
An understanding of data protection has to come first. It is possible for some organisations to achieve compliance working with existing systems. You want someone to interpret how the legislation applies to the complexities of your business and who can then provide a clear road map to compliance.
3. Do they have GDPR crisis management experience?
Can this person advise and represent your business should you suffer a data breach? A consultant that has worked with you to achieve compliance will have the information and knowledge to help you manage any scenario being investigated by the Information Commissioner’s office.
Useful GDPR links for business:
- Preparing for the General Data Protection Regulation (GDPR) from the Information Comissioner’s Office (ICO)
- The ICO’s Guide to the General Data Protection Regulation (GDPR)
- Federation of Small Businesses video on GDPR by Elizabeth Denham
- Small organisations advice section on the ICO website
Stressing out about the looming GDPR deadline of 25th of May? Relax! Be happy – Adlantic is here to placate the dread being felt by many small businesses right now. Read more