The 25th of May 2018, marks the day that the Data Protection Act (DPA) will be replaced by the European Union’s General Data Protection Regulation (GDPR). This framework consists of a more in-depth scope and severe prosecutions for those who fall short of compliance with the revised rules for the storage and use of personal data. All organizations operating within the EU, as well as organizations who provide goods and services to the EU, are subject to the new laws.
Thus, Brexit has no influence on the legal obligations imposed upon any business involved in EU business interactions.
Only minor differences exist between the DPA and the GDPR, but the GDPR is stricter meaning it is safe to assume that if your business is in possession of data that is ruled over by the legislation of the DPA, it is likely that it will fall within the scope of the GDPR.
What does GDPR mean for SME’s and Marketing?
Much has been reported about the vulnerability of SME’s to cyber attacks; the careful management of personal and sensitive data has never reached such a critical level. One of the biggest changes SME's will face is the issue of, consent. GDPR forces SME's to know the precise nature and contents of personal data that they hold, exactly where it is located, and have procedures in place to ensure that data is completely removed from the database when requested by a consumer.
Under the new legislation, businesses are required to keep a strict record of how data is collected and from where exactly it was sourced. In addition to this, “consent” refers only to active agreement and disclaimers are not sufficient, as users must actively opt in. It can no longer be deduced from a vague indication of interest such as filling in a survey or clicking on a certain web link.
Furthermore, businesses are required to possess a clear trail of consent, depicting each step in the process of data collection, clearly showing the prompt to “unsubscribe, at each stage of the digital marketing nurture process. We will all be required to keep an audit trail of where that consent came from and what messaging they were responding to when they opted in, as well as the date and time. The public have the right to withdraw consent at any time, quickly and easily. In other words, individuals have the right to be forgotten.
If a data breach occurs, companies are to inform relevant authorities within 72 hours, providing the specifics of the breach and proposing a plan to deal with the consequences, according the law. There is concept known as 'Privacy By Design', which is of a high degree of relevance and will likely become a ‘best practice’, with regards to data collection management. The term eludes to all business processes and products that involve personal data or impact the privacy of an individual, being designed in accordance with data protection requirements.
Personal data is a key tool for SME's looking to target and retain customers: GDPR requires this data to be handled with the utmost care and diligence. Any data that can be used to identify an individual is considered to be personal data. It can include things such as genetic, mental, cultural, economic or social information, and IP addresses. Sensitive personal data known as ‘special categories of personal data’ will include genetic data and bio-metric data which is processed to uniquely identify an individual.
The penalties facing transgressors of these revised laws can amount to four percent of the total annual global turnover, not based on the prior financial year. Not to mention the well known PR ramifications for organizations who are known to be victims of a data breach. You need to make sure the systems protect privacy by design internally and externally, that contractual provisions are in place with your clients and your service providers, to ensure compliance and adequate indemnities exist.
Brainstorm's 12 Steps Of Preparation
Brainstorm's take on these steps came about after consulting with a report by (Ico.org.uk, 2017).
You should make sure that decision makers and key people in your organisation are aware of the legal changes brought about by the GDPR. It is important that we appreciate early on, the impact it will have on the methods of data collection, storage and usage.
Brainstorm is well down the road on this route.
2. Information held by your organisation.
You should document what personal data you possess, where it came from and everyone who could possibly have access to it. It is strongly recommended to organise an information audit.
Most CRM Software does this automatically, but Brainstorm continuously runs in-depth checks to ensure that our systems are backed up securely, with maximum security and we stay in touch with other CRM providers that we use.
3. Individuals’ rights
We advise taking a good look at your procedures to ensure that the rights of individuals are met at all times, including what methods are followed to delete and provide personal data in a suitable format.
Brainstorm's CRM software meets these standards. We utilize double opt-in to ensure that our and our client's people have actively agreed to be part of a mailing list, meaning the subscription process is member driven.
4. Communicating privacy information
A thorough review of your current privacy notice is required to put an effective plan into action, in order to meet the standards and time constraints imposed by the GDPR implementation.
In line with Brainstorm's dedication to staying ahead, we are conducting an analysis of our and our client's privacy notice, to ensure that our business processes are inline with the GDPR standards, months before May 2018.
5. Lawful basis for processing personal data
It is advised that you identify the lawful basis for your data processing activities in the GDPR, document it and update your privacy notice to convey it accurately.
Brainstorm is currently consulting with our various CRM software partners, in order to make sure that we continue to maintain streamline CRM efficiency with ethical data protection practices.
6. Subject access requests
In order to handle data presentation requests within the prescribed timescale, your business should update their procedures in order to access, sort through and present data in an efficient manner.
Our CRM software provides detailed, up-to-date reports of the personal and sensitive data within our system and all actions involved in it's collection and utilization.
Reviewing how you seek, record and manage consent, will enable you to know whether changes are required on your behalf. Renew and authenticate existing consents in order to ensure they meet the GDPR standard.
Our CRM software automatically matches the details relating to consent and data collection to ensure it's legitimacy and lawfulness. The CRM consultations mentioned in point 5 relate to this.
8. Data breaches
You should make sure you have the correct processes in place to detect, report and investigate a personal data breach. As mentioned earlier, 72 hours to report and propose a lawful plan to make a mends, does not allow you much leeway.
Brainstorm has never been affected by a data breach. We routinely request the latest security upgrades from CRM partners and our CRM Software has comprehensive data breach solutions in place.
How are you going to go about ensuring that new market entrants, are integrated into the process without a glitch? You should start thinking now about developing systems for age verification and how to obtain lawful parental or guardian consent for any data processing activity.
Brainstorm is a business services company that is highly unlikely to request subscriptions from children. However, age verification is easy to implement and we are in discussions with our CRM providers concerning a lawful parent/guardian consent facility.
10. Data Protection by Design and Data
You should familiarize the relevant business personnel with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance on the subject. Decision makers and managers must plan and decide how and when to implement these codes into your organization.
Being deeply involved with our CRM systems, our clients of course have access to the database in order to conduct sales management activities. We have plans to create a video stressing the importance of this law, by detailing strict procedures to follow when accessing and working with the database. This will ensure that our clients are as informed as we are.
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. You should consider whether you are required to formally designate or whether it is a matter of fulfilling the data protection management task and then clearly demonstrating it.
This step of preparation is covered by Brainstorm in the same way as mentioned in Step.10.
If your organization operates in more than one EU member state, we suggest that you determine your lead data protection supervisory authority, so as to avoid any minor discrepancies, with larger consequences.
We are currently in the process of analyzing the data protection policies of relevant supervisory authorities, to ensure that we meet the standards, within all areas that we conduct business.
Whose watchful eye is presiding over the data collection process your marketing department is following? These new regulations may require adaptation and may seem stringent, but if transparency and security is what you are after, you are that much closer to achieving it.
At Brainstorm, they has always been here and they are here to stay.