If you’re not familiar with GDPR, now’s the time to accustom yourself with this new bit of EU law that will be coming into force on 25th May this year. GDPR, formally General Data Privacy Regulation, is a piece of EU legislation with two primary goals.
The goals of GDPR are to:
1). Establish one single set of data protection rules across EU
2). Give individuals better control over their personal data
In this blog, we’ll go into more depth about what GDPR means for you and your business. At Toast Inbound, we’ve had this new regulation on our radar for a while. As a digital marketing agency, we’ve taken time to attend GDPR events and webinars in the hope of ensuring that we and our clients are GDPR compliant ahead of May. We’re by no means experts in the field, however, we know enough to answer common digital marketing questions relating to the subject.
GDPR replaces the Data Protection Directive. This law currently regulates the processing of personal data within the EU and was implemented in 1998.
In almost 20 years, advances in technology have completely changed the way we operate in business and also how we go about our personal lives. The introduction of tools such as cloud storage and social media have impacted the way data is processed and transferred. A fresh, new regulation is needed to take these changes into account. GDPR recognises these advances and enforces rules to make sure personal data is used and stored in a transparent manner.
GDPR recognises personal data to be anything related to an identifiable person, such as:
There is no distinction between data from private, public or work roles. GDPR sets out to create a fair system where data is obtained and processed adequately. Data should only be held for as long as it’s needed and should only be kept for a specific purpose. Under GDPR, it’s vital to make sure data is kept secure and up-to-date, otherwise, large penalties can incur. You must be able to provide a copy of the data you possess on an individual if requested. It will also be required that you have the ability to completely remove all information on a person and be able to prove you have done so. This gets slightly more complicated when it comes to contractual or legally required data.
Most likely yes. GDPR specifies that you should only collect relevant information. For example, if your service is dentistry and you require your customers to give details such as their shoe size, you will not be GDPR compliant.
As well as only obtaining relevant data, you will also need to ensure that you have consent from an individual to prove that you have permission to hold their data. When capturing data from forms on your website, a good measure you can put into place now is to make sure you have a checkbox to capture consent.
Failing to comply with GDPR rules can have huge repercussions for your business. Organisations can be fined up to 4% of their annual global turnover or €20 million. In the news recently, it was reported that global transportation giant Uber had had a security breach which exposed data of 57m users and drivers to hackers. Uber had covered up the incident and failed to inform regulators until nearly a year after it had happened. Under GDPR, this would’ve resulted in a hefty fine.
It’s of paramount importance that organisations take a look at their current security measures and understand what needs to be done by May. Good practices to follow include anonymisation and encryption, regular system tests and controls and confidentiality and resiliency. If despite this, your data is compromised, there’s a 72-hour data breach notification requirement.
The headlines change their stance on our future in the EU on a daily basis, however no matter the outcome of Brexit, GDPR will still be applicable. In fact, the UK put forward a new Data Protection Bill of their own in August 2017, which largely mirrors GDPR.
If your business is in the US and you control or process personal data of EU citizens, GDPR will still apply. This is why the Uber breech would’ve resulted in penalisation from the EU, as although they are registered in the US, some of the information seized was concerning EU citizens.
As mentioned previously, GDPR will affect how you collect your data. A common method to gain more contacts is to buy lists. Under GDPR legislation, this practice will become obsolete. The power of contact lies with the recipient. Unless they’ve explicitly said they want to be contacted (via an opt-in), it’s unlawful to do so. If your current digital marketing strategy relies on list buying to generate a contact list, you ought to change your tact sooner rather than later.
We understand that GDPR can be quite an overwhelming subject. Some key takeaways that we’ve learnt whilst researching are:
There are a lot of uncertainties surrounding the subject of GDPR. What is for certain however is that GDPR will directly affect most businesses who deal with customers in the EU. For more information and advice on implementing changes in anticipation of GDPR coming into force in May, please feel free to contact us!
Author – Lizzie Griffiths
Lizzie is a digital marketing executive at Toast Inbound. She works with clients to help them achieve their SEO goals and improve their presence in Google’s search results.
Get in touch with Lizzie