GDPR – Will you be compliant in time?

What does GDPR mean for you?

The reasoning behind GDPR is to give consumers more control over who has their data and how it can be used. There are a few important steps that need to be taken to ensure that data is correctly controlled, processed, maintained, and secured.

If you are part of the EU this will apply from the 25th May 2018, however despite Brexit, we still have to comply. We’ll still be a part of the EU next year plus if we want to trade with EU countries, we need to abide by the same rules.

GDPR will also still apply to anyone outside of the EU if you’re dealing with data that belongs to EU residents.

Does this mean the end of an era? Will there no longer be any electronic marketing? Email marketing has played a huge part for brands and networks, however for consumers, it may be a positive move. It means an end to spam and the endless sharing of data we currently see today.

Are you asking for consent?

Usually it’s a case of a few pre-ticked boxes or lengthy terms and conditions that users agree to, knowing they haven’t read a single word. To comply with the new GDPR enforcement, consent must be clear, specific and affirmative.

With this in mind, are you considering the following?

Consent must be opt in only

Opt out and pre-checked tick boxes will not be sufficient

Asking consumers to read lengthy privacy policies & terms and conditions will not constitute as consent

Consent must be given for each individual use of personal data, examples of this may be;

1) Communication by email, SMS etc.

2) Messages by sponsors

3) 3rd Party data sales

When displaying an opt in to consumers make sure you’re informing them on how they might be contacted. How you’re going to treat their data and that they have the right to stop receiving updates from you.

The right to be forgotten

Individuals (aka data subjects) have the right to be forgotten. This means they have the right to demand that their data is deleted if they no longer find it necessary to be used. If the individual objects to how their data is processed or withdraws their consent, they have every right to ask for the data to be erased. As well as erasing all data from your system, the controller is also responsible for telling other organisations to erase all copies of that data also.

Data can only be held for a certain amount of time before it must be anonymised. Even if they don’t ask to opt out at any point, you must still anonymise their data.

What needs to change for us to comply with GDPR?

GDPR means a change in daily practice. At C7, we have started the lengthy process of ensuring our partners compliance nice and early. It might seem daunting but I would recommend looking at how your current opt in process works starters. Do you need to change it? If so, how? Could it just be a case of having multiple tick boxes and making it clearer to the individual that they can opt out at any time?

Maybe update your privacy policy and terms and conditions. If the consumer wants to know more information, this should be explicitly explained in further detail here. Individuals must also be able to update their personal details. Although this may be currently in place, are you making it clear to your members?

Go back through your process and pick at everything that will need to be changed. Start getting in the mindset of, “Am I being compliant?”

What could GDPR cost you?

You may be reluctant to start thinking about this now however you’ll quickly come to terms once you know the figures. Fines can be as big as 20 Million or 4% of our annual worldwide turn over depending which is higher.

Currently the non-compliance fine is a mere £500k which is nothing compared to the new fines that will come in when GDPR kicks in next May. These fines should be a motive to get the ball rolling, start thinking about how you’re going to comply. What do you need to change? How will you be effected when you do and what it will cost if you don’t.

Leave a Reply