After months of preparation and discussion, it’s finally here.
25 May 2018. #GDPRday.
Today the General Data Protection Regulation comes into force. With the regulation now a fact of life for marketing compliance, we look at what it actually means. What are people saying about its impact as it goes live? And how will you need to change your approach to ensure you comply with the new rules?
We round up the latest news and opinion as the regulation takes effect.
Seeking clarity on compliance
In the early stages particularly, one of the challenges around the new regulation was a lack of clarity around what exactly it means, and what organisations need to do to comply.
The Information Commissioners Office is the UK’s representative on the EU’s GDPR Working Party. The ICO has been very proactive in trying to clear up some of the confusion. While some of the detail around the regulation was not clarified until relatively recently, the ICO has tried throughout the preparation phase to cut through some of the uncertainty.
Its blogs and publications on the regulation have delivered ‘plain English’ explanations on what’s needed – a helpful resource for compliance teams, marketers and others looking for clarity.
Is GDPR as big a deal as we have been led to believe?
An entire subculture has sprung up around the regulation, with law firms and others offering compliance advice and implementation support.
In some ways, the flurry of activity is similar to that around payment protection insurance claims – and with some commentators suggesting that data breaches will be the next PPI scandal it’s little wonder businesses are taking it seriously.
Is it all about consent?
Consent has been a huge focus of discussion about the regulation.
Last week, the Information Commissioner’s Office published its final guidance on consent, setting out the changes that are needed to comply under GDPR.
The guidance compares the previous Data Protection Directive definition of consent with the GDPR one:
DP Directive definition:“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
It notes that while ‘the key elements of the consent definition remain…the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action’.
And that ‘this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements…In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.’
So – your contacts have increased choices when they initially give consent and, ongoing, can expect to exert more control over how their data is managed.
Consent isn’t the only way
While more robust consent is a big feature of the regulation, it’s a mistake to think that GDPR compliance is all about getting compliant consent.
Seeking consent has been a huge focus of the discussion. So much so that perhaps it’s overshadowed the truth of the rules, which is that there are five other lawful bases for processing data.
This is something that firms seem to have realised quite late into the process. The flurry of emails seeking consent has, in recent days, been replaced with ones focusing on their privacy policies.
If your firm is still seeking consent, it’s worth exploring whether one of the other bases is more appropriate for you.
In a BBC News article titled ‘GDPR: the great privacy panic’, technology correspondent Rory Cellan-Jones today talks about the ‘increasingly frantic messages asking me to opt in’.
The danger about the consent approach, he says, is that while larger organisations may be acting on ‘expensive legal advice that this was the safe route to take’, smaller businesses may follow their lead, and ‘risk losing contact with customers who could be vital to their future’.
If you’re a smaller business and don’t have a legal opinion to base your approach on, but want to ensure you’re compliant, you may find our tips on how small businesses can overcome the GDPR challenge helpful.
Today marks the start – not the end – of compliance
Elizabeth Denham, the Information Commissioner, has been in demand this week, responding to a (fairly last-minute) surge of interest in the new rules. This morning she made an appearance on Radio Four’s Today programme; this week she has also published a new blog about the updated Data Protection Directive and its role alongside the GDPR.
The blog stresses that 25 May doesn’t mark the end of GDPR and enhanced data protection. Instead it’s the start of a new era in communication and data.
If you haven’t already, you need to think about how your firm’s marketing may change under GDPR. For instance, it’s predicted that it will increase the use of social media, as a way of circumventing the new data rules. Read more about how to minimise risk in your social media strategy.
You might also want to explore some of the efficiencies you and your Marketing team can make to counteract the additional work the new regulation will bring.
A responsible approach to data
Central to complying with the GDPR requirements – and many of the other rules that regulated firms face – is creating a customer-focused culture. Embed a culture with compliance and fair treatment of customers at its heart and you will have a head start with any regulation aimed at improving the consumer experience.
For GDPR specifically, you should keep an eye on the ICO’s regular blogs and GDPR microsite – both good sources of information. Staying abreast of any new thinking will help as the regulation becomes ‘business as usual’.
For advice on creating a more customer-focused, compliant culture in your firm – which will help you not only to meet the GDPR requirements, but stay on the front foot with any other changes – why not download a copy of our whitepaper, How to embed a compliance culture within your business. It’s free, and you can get a copy here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.