The advent of the General Data Protection Regulation next year will put the issue of data management centre stage for all Compliance teams.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.
It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force on 25 May 2018.
What does GDPR say?
The big change with the new regulation is that firms need to get prior consent from someone before they can start marketing to them.
In other words, before you can send someone an email (even to their business email address) you need to get their permission.
This will have major implications for marketing compliance.
And with commentators suggesting that GDPR has the potential to be the next PPI scandal, it’s vital that your organisation gets it right.
Will your firm be affected?
The regulation will affect any organisation that:
- Possesses or processes data pertaining to an identifiable person
- Contacts those individuals via email, phone, SMS or mail
- Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual
In reality almost all, if not all, B2B firms will fall into one or more of these categories.
What do you need to do?
Although the GDPR requirements were initially fairly vague, more detail has emerged over recent months. In March this year, the Information Commissioner’s Office clarified the requirements of the new legislation.
With just eleven months left until the rules come into effect, you need to start thinking now about the new rules will affect you, and take action to ensure you comply in time.
And although the UK is scheduled to leave the EU, Brexit is no reason for firms not to prepare.
But with Brexit creating a competing challenge, alongside MiFID II and the plethora of other regulations you need to deal with, many firms are unprepared.
Quoted in an article in City AM, Mark Thompson, global privacy advisory lead at KPMG, believes that “It’s worrying that with only a year to go, many organisations still have a lot to do. The truth is that many just don’t understand what they have to do – and how to deal with it.”
What are the penalties if you don't comply?
The Information Commissioner’s Office (ICO) investigates non-compliance with the new rules. If any firm is deemed to be in serious breach, they face potential fines of up to €20 million or 4% of the firm’s global revenue. The penalties are therefore significant.
And the fines are only part of the picture.
There will need to be clear processes around notification of breaches – something that firms aren’t currently obligated to do under the Data Protection Act. Under GDPR, all companies and organisations will have just 72 hours to notify data subjects of a breach – or may be fined.
Then there’s the cost of reputational damage.
Andrew Rogoyski, vice president of cyber security at CGI UK, is quoted in the same City AM article estimating that “only around 10-20 per cent of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”
With a recent report identifying that perceived good conduct is playing an increasingly important role in company reputation, ensuring your data management is up straight will be essential to avoiding both direct and implicit financial penalties.
4 things you need to do now
1. Get a clear understanding of what is required. The Information Commissioner’s Office website has some useful resources, including a 12-step guide to GDPR preparation.
2. Review your processes. Does your current opt-in meet the new rules? If not, you need to change it. Contact everyone in your database and start collating their responses. You will need to make sure you store this information so you have evidence of their opt-in if you need it.
3. Start now. Get ahead of your competitors. If you’re the first financial services firm asking for marketing consent, you’re more likely to get it than if you’re the tenth. Get started asap.
4. Remember your existing compliance requirements. If you’re regulated by the Financial Conduct Authority or other regulator, you need to make sure you continue meeting their requirements as well as falling in line with the GDPR. In some cases, the two will converge. Getting prepared for the GDPR will help to ensure you’re treating your customers fairly, for instance – already an FCA priority.
GDPR should undoubtedly be a priority area for all Compliance teams. Work with your Marketing and Sales colleagues to identify the areas you need to address, and ensure senior management understands the importance of complying.
Start with our four priorities above, and take action to update your processes as soon as possible.
The GDPR is just the latest in a long line of regulations that govern financial promotions. For a refresher on financial promotions compliance, you can download our Compliance Guide to Financial Promotions. You can get your free copy of the Guide here.