As a PR Agency we need to plan for GDPR. From May 2018 the game is changing and the old rules of the Data Protection Act 1998 (DPA) are being updated.
Most of us probably know by now that the stakes are higher. With the DPA there was a cap of £500,000 that the ICO could levy, however with GDPR the penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher. Serious stuff. It is also a game changer in that, as a business, we have to earn trust in order to have people want to share their data with us.
In addition, it seems that the ICO is bolstering its enforcement section to be able to monitor for and enforce data breaches where they occur. Given that Uber, in attempting to brush away its recent breach would, under GDPR have to pay out millions, in many ways, for many businesses, the threat of insolvency or even closure as a result of GDPR penalties will soon be very real.
Whilst this post is in no way exhaustive, it can act as a reminder of the key issues to consider around GDPR:
- It impacts both B2B and B2C businesses.
In fact, it will tighten things up for B2B businesses, not least by bringing in the burden to demonstrate compliance and the principle of accountability. This is probably the main area that most of us will struggle with under the new regime.
- It relates to personal data related to any living individual
Under GDPR this will include photographs (of staff, customers, or any individual). Consent will apply depending on the degree of information (about that individual disclosed). Therefore various tactics (wide aperature shot etc) can be used to disguise information and ensure that ‘legitimate business interest’ can be claimed and avoid relying on consent. It will also apply to details of prize winners, information taken in responding to customer complaints or enquiries, details of people attending events and journalists details. In short, anything that goes over and above ‘legitimate business use’ – which, out of interest, only relates to the name and contact details of a person working for an organisation.
- There are 6 Key principles to be aware of
These are :
- Lawfulness, transparency and fairness
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
This is not forgetting, of course, the additional burden to demonstrate compliance i.e. accountability
- Consent must be opt in
No two ways about it, boxes cannot be pre-populated with a tick! The opt in must be totally unambiguous. Of course, consent should be your last port of call (see next point)
- You can try to avoid relying on consent by:
- Determining what is covered by contractual performance
- Determining what is covered by legitimate business interests
- Determining if it is required legally
- It will mean a sea change in how you process data
This will include the necessity of data mapping and conducting thorough audits of how you collect data, why and where, and for what you use it. It will mean issuing a processing notice at the time you collect the data and rewriting said processing notices so that they cover all of the things you do with that data. In theory, this even includes if you collect business cards at a networking event!
Whilst final pre-deadline guidelines are due to come out soon, GDPR is coming into full force on 25th May this year, in tandem with the PECR (Privacy in Electronic Communications) with sit alongside the DPA and affect email marketing. And many businesses are still clueless. There is no point burying your head in the sand. So start thinking now about how you ensure your customers will benefit from you collecting their data and prepare for readiness by developing a data promise, optimising your data collection processes and wordings, putting in new controls and accountability and developing a proposed solution right across your business (including your clients and suppliers). You might even need to think about building data issues into your crisis management plan.