Probably you are not going to like this article, but you should read it anyway. Because the new privacy regulation (GDPR) will impact your business, if you are active in the EU. Especially from a marketing and personalization point of view – also think direct mail – the changes have a significant impact. The deadline for compliance is approaching really fast: 25 May 2018. Fines for not being compliant are huge: up to 4% of your global annual revenue, or 20 million euro, whichever is greater. And that’s why you need to continue reading this article…
The general idea about the GDPR is that privacy of individuals needs to be protected. Permission to use personal data should be explicit, not implicit. And individuals can ask to get access to their data, they can ask to update it and they have ‘the right to be forgotten’, the right to opt out of marketing campaigns.
Who does it apply to?
Every organization, commercial or not, of ANY size, that is conducting business in the EU and is storing and processing ‘personal data’ that originate in the EU. So American companies that have customers in the EU and store personal data about these need to be compliant.
In a few cases, there are exceptions for SME’s, e.g. they don’t need to keep records of all data processing, unless the data processing happens on a regular basis, when it is a threat to people’s rights and freedom or when it’s dealing with sensitive data or criminal records.
What is ‘personal data’?
Personal data is any information that can be used to identify a person. Which could be: a picture, name, address, e-mail. But also: the IP-address of a computer… And then there are the sensitive personal data like cultural, racial, economic, medical data.
And what is really important: a company name, the address is not personal data. But if you have the name, mobile number of a person in a company, that is personal data.
The controller, the processor, the DPO
The regulation makes a distinction between controllers and processors. The controller is the one that determines the purpose and means of processing of personal data. The processor is the one that processes personal data on behalf of the controller. So, e.g. a direct mail company will be the processor, the customer – who defines the direct mail campaign and provides the data – is the controller.
Also, there is a DPO, the data protection officer. Depending on size and amount of data, a DPO is mandatory. However, a DPO can be an external person. Here are opportunities for new businesses, which will deeply be involved in a companies’ handling of data. Both a controller and a processor may need a DPO.
The general idea is that data protection should be by design and by default. Which means that you have to put in place a systematic approach to personal data. And it should take into account the state of the art in data security… This is something that will take time to design and implement. This article gives a very good overview.
When a data breach occurs, the appropriate regulator needs to be informed, within 72 hours. And also the affected individuals need to be notified if there is a “high risk to that person’s rights and freedoms”. And in a way that is easy to understand. There are a few exceptions to that notification of individuals.
When new data processing technologies are introduced and the processing is likely to result in a high risk to the rights and freedoms of individuals, a data protection impact assessment (DPIA) is mandatory. The controller must ask the DPO for advice on this.
This last one has a serious impact. To be able to comply with it, you need to have a full inventory of all personal data, classify the risk level, document the location, understand what systems might access the data, identify which users have rights to access that data. And this exercise should be repeated on a regular basis.
GDPR and marketing
There will certainly be an impact from GDPR on marketing. But not just the marketing department of the brand: everyone who touches the personal data is involved. Which includes direct mail printing companies, as a data processor. This relationship between the controller and processor should be clear. It is even wise to put certain aspects, like responsibilities, in a contract. And also an important aspect will be if a data processor uses a third party for (parts of) the data processing job: this can only be done if the controller knows this and agrees with this!
GDPR will also have another, positive aspect in the future: due to the explicit ‘opt-in’, the quality of mailing lists will improve. Which in turn will improve response rates and return on investment.
How to proceed?
The Information Commissioner’s Office in the UK has assembled this list of 12 steps:
- Awareness: You should make sure that decision-makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit.
- Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Legal basis for processing personal data: You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- Consent: You should review how you are seeking, obtaining and recording consent and whether you need to make any changes
- Children: You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments: You should familiarize yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organization.
- Data Protection Officers: You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
- International: If your organization operates internationally, you should determine which data protection supervisory authority you come under. In case of uncertainty over which supervisory authority is the lead for your organization, it would be helpful for you to map out where your organization makes its most significant decisions about data processing.
Why is this important?
One reason why this is important is very clear: compliance to GDPR is mandatory for everybody who does business in the EU and fines are huge. But there is more. This will change the way marketing acquires and handles personal data. And it might even offer new business opportunities to data processors, e.g. direct mail output providers: not every company will have an internal DPO. Data processors might offer this as an extra service to customers. And get really intimate with them… securing future cooperation.
PS: GDPR is something complex. When implementing GDPR, it might be advisable to consult an expert, to get a clear and correct view on every nuance. For the record: I am not an expert, this article is not legal advice.