After months – if not years – of speculation, planning and debate about exactly what the new rules mean, today the General Data Protection Regulation comes into force.
So, what does it actually mean for marketers?
What’s the latest thinking on its impact as it goes live? And how will your marketing activity change under the new rules?
We round up the latest news and opinion as the new regulation takes effect.
Getting to the heart of GDPR
One of the challenges with the new rules has been a lack of clarity around what exactly it means, and what it requires of firms.
The Information Commissioners Office – the UK’s representative on the EU’s GDPR Working Party – has attempted to clear up some of the confusion. Its blogs and publications on the regulation have been very helpful in delivering ‘plain English’ explanations on what’s needed.
This has proved an invaluable resource for marketers, compliance teams and others looking for clarity.
So much so that as I write this blog, the ICO website is unavailable – temporarily collapsed under the weight of interest from people who want the definitive steer.
Is GDPR as big a deal as we have been led to believe?
Rather like the PPI claims industry, an entire subculture has sprung up around the regulation, with law firms and others offering compliance advice and implementation support.
And with some commentators suggesting that data breaches will be the next PPI scandal it’s little wonder businesses are taking it seriously.
Consent has been a big focus – just last week, the Information Commissioner’s Office published its final guidance on consent, setting out the changes that are needed to comply under GDPR.
The guidance compares the previous Data Protection definition of consent with the GDPR one:
DP Directive definition:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
“any freely given, specific,
And that ‘this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements…In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.’
It notes that while ‘the key elements of the consent definition remain…the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action’.
Consent isn’t the only way
While more robust consent is a big feature of the regulation, it’s not the be-all and end-all.
The focus on seeking consent has perhaps been such a focus that it’s overshadowed the truth of the rules, which is that there are five other lawful bases for processing data.
This is something that firms seem to have realised quite late into the process. The flurry of emails seeking consent has, in recent days, been replaced with ones focusing on their privacy policies.
If your firm is still seeking consent, it’s worth exploring whether one of the other bases is more appropriate.
In a BBC News article titled ‘GDPR: the great privacy panic’, technology correspondent Rory Cellan-Jones today talks about the ‘increasingly frantic messages asking me to opt in’.
The danger about the consent approach, he says, is that while larger organisations may be acting on ‘expensive legal advice that this was the safe route to take’, smaller businesses may follow their lead, and ‘risk losing contact with customers who could be vital to their future’.
If you’re an SME without the option of expensive legal advice, but want to make sure you’re complying, our tips on how small businesses can overcome the GDPR challenge may be helpful.
Compliance doesn’t end today – it starts
Elizabeth Denham, the Information Commissioner, has been busy responding to a (fairly last-minute) surge of interest in the new rules. Today she made an appearance on Radio Four’s Today programme, and has also published a new blog (which if the world and his dog has stopped reading it, you may be able to access here).
The blog stresses that 25 May doesn’t mark the end of GDPR activity for marketers – the opposite, in fact.
It’s the start of a new era in communication and data – a changed landscape for marketers.
If you haven’t already, you need to think about how your marketing may change under GDPR. For instance, it’s predicted that GDPR will increase the use of social media, as way of circumventing the new data rules.
Look too at some of the efficiencies you may need to make to counteract the additional work the new regulation entails.
A responsible approach to data
Key to meeting the GDPR requirements – and many of the other rules that regulated firms face – is creating a culture where your customer is central to everything you do. Make client focus the core of your ethos and you are likely to have a head start with any regulation aimed at improving consumer treatment.
Keep up with the ICO’s regular blogs and GDPR microsite – both good sources of information. Staying abreast of any new thinking will help as you embed the regulation as ‘business as usual’.
Of course, GDPR is just one of a myriad of rules faced by marketers, particularly if you’re overseen by the FCA or other industry regulator, but also for unregulated businesses.
To make sure you’re on the front foot when it comes to the rules that govern you, and how to avoid compliance breaches, you can download our Marketing Guide to Compliance.
The free guide covers nine key areas that marketing needs to know about financial promotions and compliance. You can read a copy here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.