Did you know that the new EU personal data regulations come into force in May 2018? ALL companies need to be getting ready NOW to become compliant in time. The new General Data Protection Regulation (GDPR) applies to data collection that impacts any EU citizen. Whether your company is based in an EU country or not, the reach of the GDPR does affect you. Use this time to get ahead of the competition and seize the opportunities that the new regulation presents.
On 14 April 2016, after four years of preparation and debate the General Data Protection Regulation (GDPR) was approved by the EU Parliament. The GDPR will enter in force on 25 May 2018 – at which time those organisations in non-compliance will face heavy fines. Under GDPR, companies in breach of the new law (which replaces the Data Protection Act (DPA)) can be fined up to 4% of annual global turnover and up to the upper limit of €20 Million.
The GDPR gives EU citizens control of their digital data by empowering them with the right to know what data is being collected, when it is collected, what it is going to be used for and to have access to that data. It also gives them the capability to purge it upon request.
One of the UK’s leading managed hosting providers, UK Fast have put together an informative webinar series featuring a panel of experts that provide insight into the new regulation and the steps that companies need to take in order to become compliant.
Advice and guidance on all areas of GDPR can be sought from two of the panellists:
Matthew Bruce – Bruce & Butler Limited (Data Protection & GDPR Consultant)
Ian West – Senior Independent GDPR Advisor and member of the GDPR Institute
About the GDPR:
The GDPR is a new data protection framework with broader punishments for compliance failure and brings new rules surrounding the storage and handling of personal data. The new regulation is (in essence) a new and improved form of ‘Consent Management’ and will provide individuals with trust in companies that they choose to be in contact with. It will enable them to have greater control over their own data and how it is handled.
Irrespective of the UK’s imminent uncoupling from the EU, the law still very much applies to all businesses, particularly those that handle the data of individuals within the EU.
If your company processes the data of any individuals, whether that be your customers, prospects, leads, newsletter sign ups etc, the GDPR regulation will stipulate that new levels of consent will need to be acquired in order for your company to handle that data or use it in any way.
The road to GDPR compliance shouldn’t be seen as a problem or an issue. Companies just like yours should recognise this as a huge business opportunity! Acquiring such depths of consent from your contacts and website visitors, agreeing for you to send them your marketing collateral will mean that the data you hold will become a more valuable commercial asset.
By filtering out those that don’t want to be marketed to, you will be left with a fine-tuned list of individuals that have given 100%, ultimate consent for you to contact them. Even if your CRM system is diminished from a 20,000 strong database to 5,000 that agree to you handling their data, that is 5,000 QUALITY contacts that can be nurtured (and want to be!).
- What data have I got?
- Where is it located? (is it in a data centre, is it in the cloud?)
- How are we using it?
- Do we have consent to use it?
He stated: If you can’t answer “Do I have explicit or implied permission to use the data I am holding, in the way that I am using it?” with a ‘yes’ then you shouldn’t have the data at all. As of 25th May 2018, you will not be able to use it.
Ian highlighted a recent case where pub chain JD Wetherspoons purposefully deleted their entire database of customers because they could not justify how they came to have the data. The company couldn’t guarantee that marketing to the historical list wouldn’t pose problems in the future so they ditched the whole lot! Brave move! (*the number of contacts in the database has not been reported on, the same company suffered a security breach in 2015 affecting 656,723 email contacts).
Examples of poor data handling and why GDPR will be a good thing:
In March, Flybe was fined £70,000 by the Information Commissioner’s Office (ICO) after sending over 3.3 million emails with “Are your details correct?” in the subject line. During the same month, Honda was fined £13,000 after sending 289,000+ emails clarifying whether customers wanted to receive marketing?!
In June, Morrisons was fined £10,500 for sending 131,000 emails to people who had opted out of marketing related to their loyalty card.
In the recent case when Talk Talk suffered their security breach and the data of their customers was compromised, the company lost over a million customers. These customers didn’t stop using phone services or streaming videos, they went to one of their competitors. It cost them around £400,000 in fines. Under GDPR, that would’ve cost them £54m.
Use this time to capitalise on GDPR and get ahead of your competitors in becoming compliant so when the new regulation comes into play, you can legitimately market to your database without the threat of fines or losing customers to the competition.
GDPR and the affect on sales and marketing
The GDPR will mean a complete shift in the way we market or at least, the people that we market to. It will also have a huge impact on those that handle the data of individuals within the EU.
Step back and think about the data that your company holds. Is it customers, email subscribers, bought in data, contacts you’ve met at a show, been passed a business card at a networking event, their IP address when they visit your website? The GDPR will have an impact on how your company can use this data from 25th May 2018 – this means ALL OF YOUR HISTORICAL DATA!
Different rules will apply to different groups of stakeholders. For example, if you are working with a customer and there is a contract in place and you provide them with a service, you won’t necessarily need their consent to store their data if there is an ongoing relationship. The lines become blurred when you start looking at prospects or leads and how you acquired them, or customers that bought from you years ago but haven’t since.
In the move to compliance, under the new regulation, companies will need to be able to demonstrate how it came about the data that it holds. If a comprehensive list of consents was granted in order for you to market to an individual the way that you currently are, where is your proof of this?
If your company has a CRM system bursting with ‘potential’ customers and there have been momentary touchpoints over the years, each department within the company will need to be extremely careful about how they continue to correspond with them.
Between now and May, there will be a process of education and the need for behavioural change and staff training to bring everyone up to speed on what they can and can’t do with the data you have on record.
There are two areas to focus on.
- Adapting your current processes so that the NEW data you collect is done so in accordance with GDPR – consent, consent, consent.
- Put a plan in place to manage your historical data – do you ditch the data or risk contacting everyone to gain re-consent under the new GDPR stipulations? There is a certain risk attached to re-gaining consent and you need to put a plan in place if you do want to continue using old data for future use.
^ Document everything and DON’T MIX UP THE TWO GROUPS!
Regulators of GDPR will ask one thing when they walk through the door. “Show me your consent management database”. How many organisations have one of these in place today?
The golden rule is, make the move to becoming compliant with GDPR and if you don’t know where you got your data from and how old it is, don’t use it.
The Information Commissioner’s Office (ICO) have produced a handy guide ‘Preparing for the General Data Protection Regulation (GDPR)’ which explains what your company needs to do in order to become GDPR compliant.
To find out more about GDPR and how your company can become compliant, email firstname.lastname@example.org