Hold company information? Engaged in digital marketing? If so, it’s important to prepare now for new EU data protection legislation, GDPR, – effective May 25 2018. GDPR regulates the processing of personal data about EU individuals. Non-compliance fines can be exorbitant, crippling your company. Clean up your data storage, treatment and marketing automation-practices and other setup, to ensure you’ll be GDPR compliant.
GDPR: Important Overhaul Legislation
GDPR regulates the processing of personal data about EU individuals.
This new comprehensive EU data protection law updates existing laws to better protect personal data in light of fast technological developments, increased globalisation, and more complex international flows of personal data. The GDPR will replace the existing patchwork of national data protection laws. There will be 1 single set of rules, directly enforceable in each EU member state.
GDPR: Broad Definitions
Beyond exorbitant fines, and applying to all of the EU, another issue that the GDPR definitions are very broad.
- Processing includes the collection, storage, transfer or use data. It even extends to tracking their online activities. Any company, worldwide, that processes personal data of EU individuals is within the scope of the law.
- Personal data covers any information relating to an identified or identifiable individual (called a “data subject”).
Data protection refers to the legal control over access and usage of computer-stored data.
Who is Involved
- The Information Commissioner, who enforces Regulations and Compliance.
- The Data Controllers. This is any company or person who collects and keeps data about individual people. For companies, a nominated person within a company is the actual data controller, called the Data Protection Officer. This is the person who applies to the Commissioner for permission to store and use personal data.
- The Data Subjects. This are the individuals who have data stored about them, somewhere, outside of their direct control.
Data Protection Register
Any business, organisation or person who wishes to store personal data from people must apply to register with the Information Commissioner. This requirement will come into effect in 2018.
There are 6 things to register:
- The data controller’s name and address.
- A description of the information to be stored.
- What they are going to use the information for.
- Whether the data controller plans to pass on the information to other people or organisations.
- Whether the data controller will transfer the information outside the UK.
- Details of how the data controller will keep the information safe and secure.
EU GDPR’s 7 Core Changes
- Expanded rights for EU individuals: The GDPR expands the rights of EU individuals: including deletion, restriction, and portability of personal data.
- Compliance obligations: The GDPR requires organisations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organisations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organisations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organisations engaged in profiling or monitoring behaviour of EU individuals.
- Binding Corporate Rules (BCRs): The GDPR officially recognises BCRs (which Salesforce offers for certain of its services) as a means for organisations to legalise transfers of personal data outside the EU.
- Enforcement: Under the GDPR, authorities can fine organisations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
- One stop shop: The GDPR provides a central point of enforcement for organisations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
Data Protection Principles
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully.
- used for limited, specifically stated purposes.
- used in a way that is adequate, relevant and not excessive.
- kept for no longer than is absolutely necessary.
- handled according to people’s data protection rights.
- kept safe and secure.
- not transferred outside the European Economic Area without adequate protection.
There is stronger legal protection for more sensitive information, such as:
- ethnic background.
- political opinions.
- religious beliefs.
- sexual health.
- criminal records.
You should also be aware of another law: the PECR, the Privacy and Electronic Communications (EC Directive) Regulations 2003, which are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’. These regulations work in tandem with the UK Data Protection Act.
The purpose of PERC is to give people specific privacy rights in relation to electronic communications. PERC specifies rules for:
- Marketing calls, emails, texts and faxes.
- Cookies (and similar technologies).
- Keeping communications services secure.
- Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
Who’s in Charge in the UK
The Information Commissioner’s Office or ICO (ico.org.uk) is the UK body that takes enforcement-action against organisations that “persistently ignore their obligations, starting with those that generate the most complaints”.
Next year’s regulation will take things a lot further, but fines are already happening today, with Honda being in the news this month. The company is fined for sending emails to sort out its database in anticipation of the future, more stringent data protection.
Data Protection Breach
This is the issue. The new EU General Data Protection Regulation (GDPR) will into effect on 25 May 2018. When enforced, companies who breach the law could be faced with dramatically higher penalties than ever before:
While previously the highest penalty ever issued was £400K, the new penalties could amount to €20 million or 4% or annual global turnover, whichever is higher. Could your business survive that kind of penalty? Best to be avoid it! With 14 months left to get organised, now is the perfect time to get prepared, and get ready to work with clean (double) opt-in lists only, further protection and adequate processes.
Our Pro-active Role
What do we see as our role in preparing the UK Marketing Automation Industry for Upcoming Data Protection Act – Legislation? Our focus is helping you, pro-actively. CloudAnalysts’ MD Jimson Lee is part of a steering committee for the marketing automation industry in London to help companies be fully prepared and compliance with the upcoming legislations. He is speaking / organising talks on a number of occasions this topic, e.g. at the Salesforce London Marketing Cloud User Group.
Note: We are facilitating consultants, not lawyers, and so you and your companies must seek their own legal counsel to ensure their compliance to the law.