The General Data Protection Regulation (GDPR) – Are you complacent or compliant?
You may have thought about data protection recently; you are probably doing things roughly the same way without thinking of change, continuing to communicate with your audience when you’ve had the opportunity and marketing products and services wherever possible. If so, you may well have been breaking the law without realising.
If this sounds like your organisation, get ready for some dramatic changes. The new data protection laws due in May 2018 will seriously impact the way you communicate with your audience, how you process data and who you share data with. The General Data Protection Regulation (GDPR) is the first major review of data protection for 20 years and is intended to protect data subjects with powerful new rights.
The GDPR aims to give clearer guidelines for communications consent based preferences for data subjects; you won’t be able to communicate with your customers, members and supporters without a good and lawful reason. There are also going to be hefty monetary penalties to discourage offenders from taking any chances with personal data. Penalties will be rising from a top limit of £500,000 to an incredible £20 million. The supervisory authority in the UK, The Information Commissioner’s Office will have new powers, such as the right to enter your premises, the right to audit you and the right to reprimand you.
No one knows what will happen or whether these powers will be exercised. My opinion is that they will definitely be tested. The GDPR is principles-based legislation, but it’s not a black and white regulation; it’s more like 50 shades of grey.
Interpreting the rules to fit your special circumstances is therefore vital if you are to maintain growth in your organisation. This is particularly true when you examine the conditions for processing. This GDPR article explains how you might lawfully communicate with your audience. There are six reasons – you only need one – but there is already considerable debate as to which you can use effectively. The best is ‘Consent’. This is where your subject has clearly, specifically and unambiguously demonstrated their wishes.
Then there is ‘Necessary for contract’. This is where you have sold someone something and you are required to service the contract that now exists; the customer has the right of legal recourse against you if you don’t. Amongst a few others there is ‘Legitimate Interest (LI)’. This is your interest to sell something, or raise money for a cause. As long as your LI doesn’t override the subject’s rights and freedoms, you may well have a remedy to your communications plan.
The data subjects get some new robust rights too. These include the right to be forgotten, or to be erased, and the right to object to marketing. Ignore these rights and you’ll almost certainly be fined. Subjects also have enhanced rights to make access requests for a copy of their data. You’ll need to find an effective way to identify the person and then share information in a commonly used electronic format. Apparently, that isn’t a Pdf! If you operate CCTV for crime prevention purposes then you’ll also have the headache of finding a way of sharing images you may have captured of people, should they wish to see them. Having tested this at my local supermarket, I can assure you even one of the country’s biggest grocers has no idea how to do this.
Subjects will also have the right to judicial remedy should you cause them material or non-material loss. If their data is stolen, shared or otherwise abused they will be able to sue you. It’s widely anticipated that firms of lawyers will bring affected data subjects together in a series of class actions against offenders.
Finally, the GDPR issues guidance on the profiling of data. Profiling is where information may be electronically processed in an automated way to reach a conclusion about you.
It might be your financial status, your behaviour, your likes and dislikes. There are so many ways this might be happening.
For example, your bank will be profiling you frequently to ascertain your financial status – credit rating agency, Experian, does it all the time on every single citizen in the UK. This is profiling, and without your clear consent it is unlawful. How this will change the way we market our products and services is yet to be fully realised, but it will be very different.
The GDPR is here to stay and for good reason, in my opinion. 90% of all of the data that has ever been collected has been done so in the past five years – a sign of the importance of data and the power it brings. So, by May 2018, you need to make sure you are processing data lawfully.
If you handle, store, share or process personal data for UK or EU subjects you can’t ignore the GDPR or you could suffer the consequences.