GDPR Countdown: The Facts so Far
17 Mar 2017
The GDPR comes into force next May, with hefty fines for those organisations that aren’t ready.
However a recent DMA survey showed that one in four businesses are ‘unprepared’ for the significant reforms to data protection laws that the GDPR will bring.
If your organisation is one of the 25% who are on the back foot, now is not the time to panic. But it is definitely time to take action.
To get the full lowdown on where things currently stand with the GDPR, I spoke to Brightsource’s Head of Client Service Kate Howe, who also sits on the DMA Data Council.
Hi Kate. My memory’s a bit fuzzy. Can you remind what the GDPR is again?
It’s the biggest update to EU data protection in 20 years, and will affect every organisation that operates in Europe, across all sizes and sectors.
Any business or charity that isn’t fully compliant by the time it comes into force could face fines of €20m or 4% of its annual turnover.
Wait a minute. Doesn’t Brexit give us a get-out clause?
Afraid not (as we were quick to point out following the announcement of the EU Referendum results last year).
According to TechCrunch, the UK Government has confirmed it will be harmonising domestic law with the GDPR in time for our exit from the EU.
Fair enough. What are the main changes then?
The new law will require all organisations to gain unambiguous consent for how a person’s data will be used, across all channels. Explicit consent may be required for particularly sensitive data.
Aren’t explicit and unambiguous consent the same thing?
No, there is an important difference, but it’s rather subtle, so bear with me!
Explicit consent is stricter, in that it requires an opt-in tick box or declaratory consent statement. It only applies to specific categories of data considered particularly sensitive as defined by the GDPR, “in relation to fundamental rights and freedoms”.
Unambiguous consent is required for all other data. This should be freely given, specific, informed and a clear indication of an individual's wishes (that has only one possible interpretation).
The GDPR also requires that individuals demonstrate their consent through a statement or affirmative action in order for it to be considered unambiguous.
In every case people must be made aware of how their data will be used through simple and easy to understand language, and information can no longer be held within privacy statements. Individuals can also withdraw their consent at any time.
Can you give some practical examples of how brands can ask for unambiguous consent?
Again, unambiguous consent must be given either by a statement or clear affirmative action, so good practice would include:
- An opt-in tick box on a website
- Verbal agreement over the telephone
- Choice of technical settings, for example, privacy settings for online cookies
- "Any other statement or conduct which clearly indicates acceptance" For example, clicking an icon, submitting contact details, or sending back a donation form. In each of these cases it must be made absolutely clear upfront what the person is accepting.
It will no longer be enough to consider silence and inactivity as indicators of consent, or to use pre-ticked boxes. And consent should not be given as a condition of receiving a service, as it would not be 'freely given'.
Yikes. Won’t this severely limit who can be contacted?
It may reduce the quantity of recipients, but with an effective permission marketing strategy, the quality of the relationship should greatly improve.
Permission marketing means that an individual has given you permission to deliver anticipated, personalised and relevant messages to them.
This helps to create richer, deeper conversations with recipients and ensure that people are receiving value back from brands on a consistent basis, in exchange for giving them their attention. And the more attentive people are, the more likely they are to take action, such as make a donation.
The RNLI’s first permission-based campaign is a good proof point for this. The Charity received three times the response rate and average donation of the previous year, and because fewer people were contacted, it cost them less.
What’s the most important thing that brands can do right now if they aren’t already prepared?
Every organisation needs to decide how on what approach to take in preparation for 25th May 2018.
Brands will need to ensure the people they are communicating with have full control over what they want to hear about, when, and though which channels.
However, the charities and businesses that do everything possible to make this process easier and more transparent for their supporters/customers are more likely to earn people’s trust.
Doing the bare minimum may enable your brand to scrape through and avoid fines, but you may also be missing a big opportunity.
By going above and beyond what the GDPR requires, brands have the potential to build a better relationship with supporters or customers and increase the likelihood of consent being granted.
Thanks very much Kate.
This is a great starter for ten, but there are new details being revealed all the time.
Read our regular roundup of GDPR-related news over at the Brightsource blog, or follow us on Twitter or LinkedIn.
Further information:
- Brightsource’s guide to the GDPR - published May 2016
- The DMA’s GDPR Hub (and countdown clock!)
- ICO data protection reform website
- NCVO updates on charity law and regulation
Please login to comment.
Comments