The imminent implementation of the General Data Protection Regulation is one of the most talked about subjects in business just now. Everyone seems to have a different opinion on what the impact for business will be. There is a great deal of hype and even fear being generated around GDPR and B2B email marketing. Therefore, I feel it would be useful to have a look at some of the key facts in relation to SME businesses.
Before I start, this article is my opinion of the regulations, not a definitive legal interpretation. GDPR is a document full of legalese and EU-speak. However, the principles are not designed to put unnecessary barriers on people doing good, honest business. They are designed to give individuals reasonable protection in an increasingly complex world. No bad thing in my opinion.
There has been a great deal of ‘fear talk’ and I want to establish some balance.
I am not proposing to attempt to deliver a ‘One size fits all’ approach to GDPR. Rather I am looking objectively at the regulation based on the output of key partners to the regulation including the ICO (Information Commissioners Office) and the DPN (Data Protection Network)
The ICO is the UK representative on the EU’s Article 29 Working Party – the EU body at the heart of GDPR.
The DPN is dedicated to providing expert opinion, quality resources and learning materials, to both experts and non-experts in the field of Data Protection and Privacy.
GDPR is coming.
One thing is for certain:
GDPR will apply from 25 May 2018
So what should you do about GDPR in your business?
First and foremost, you shouldn’t ignore GDPR. I believe there are 4 key issues to consider:
- Is it legitimate for you/your company to hold & process personal data as you do?
- Have you assessed the data you hold to check it is appropriate?
- Have you assessed potential risks arising from any data breach and have you taken reasonable steps to protect against any such breach
- What procedure do you have in place to take appropriate action in the event of a breach resulting in the unauthorised release of personal data
To look at these another way:
- You need to be comfortable that your business operates within the regulations
- You need to be aware of the principles of GDPR and the rights of ‘Data Subjects’ regarding the data you hold on them.
- Your policies (e,g, Data Protection/Privacy policies on your website) should meet the requirements of GDPR
- You should be ready to engage openly with people about the data you hold
- You should respect the rights of Data Subjects to say ‘No Thank You’
I have read around the subject of GDPR. The principles behind the regulations actually seem to come down to four words: Reasonable, civilized, common sense
If you hold information on a person, you should respect that data and only use (‘process‘ in the jargon) the data in ways that are – to quote the Advertising Standards Authority:
The idea applies here to all data, not just that used for Advertising & Marketing, in addition, I think we should also add the principle of openness.
If someone holds data on you it is reasonable that, if you want, they should be open about letting you know what information they hold, why they hold it and how they use it. Furthermore, you should have the right to oblige someone holding your personal data to stop using it – unless there is some higher legal obligation.
Must I gain opt-in consent from my data subjects?
This is a key question from businesses using data for marketing and the answer, in short, is No!
Consent is not an absolute requirement under GDPR
Understandably, there is a lot of emphasis on consent. In many instances, getting the consent of a data subject to hold and process their personal data may be ideal. Getting specific opt-in consent should never be a bad thing though sometimes it is impractical.
Under the GDPR, there are 6 ‘Lawful Bases’ for processing data. Consent is listed first although there is no hierarchy in the list. Each ‘Lawful Basis’ has the same weight.
In practical terms, the basis most likely to be relevant to marketers (B2B in particular) is ‘Legitimate Interest’
Legitimate Interest in GDPR
The GDPR states,
‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ An organisation may wish to rely upon Legitimate Interests where Consent is not viable or not preferred and the Balance of Interests condition can be met.
Note the phrase: “may be regarded as…”, so organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications.This may be where consent is not viable or not preferred, though the DPN rightly stresses the fact that organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing.
Though the GDPR does not list all circumstances in which legitimate interests may apply, it does specify that any processing under this banner meets the balance of interests condition – are the interests of the controller overridden by the interests or rights of individuals?
The DPN’s guidance document explores these ideas and gives a range of examples (though these are predominantly B2C)
Is the Legitimate Interest basis appropriate for my business?
There is a difference between B2C where you are targeting individuals and B2B where you are using personal data to actually target job roles. Consequently, in B2B it may be easier to establish Legitimate Interest relevance. In B2C, particularly where children, the elderly or more vulnerable adults are involved, if you apply the common sense approach I talked about earlier, you will see that things become more complicated.
There is a template for such an assessment in the DPN’s guidance document
Whatever your approach you should always be Legal, Decent, Honest and Truthful – and open.
In summary, GDPR is not a threat to the large majority of businesses. There is a great deal of hype and ‘fear marketing‘ around at the moment. Many of the principles enshrined in GDPR already exist in the current data protection legislation. Some, however, have been clarified and extended. There are some great guidance notes available from both the Information Commissioners Office and the Data Protection Network.
The sun will rise on the morning of 26th May and the world will still be turning!
Please Note: The above are my own views based on my research, not a definitive legal opinion. For more detailed advice on the application of GDPR to your business, I recommend you approach a GDPR specialist.