The General Data Protection Regulation (GDPR) will drastically change the way businesses use data across all EU member countries. Traditionally, Europe has always had different data protection regulations in each EU country – for example Germany’s Datenschutzbedingungen (BDSG) law has been in place since 1979 and reflects much that the GDPR will bring in. In addition, irrespective of ‘Brexit’, any UK organisation doing business in the EU will need to comply with the GDPR. In the consumer space the impact of the forthcoming legislation led Wetherspoons to ditch all its existing data last week to begin again.
It’s important to note that, it’s not just EU marketers that need to act fast, this regulation will also apply to organisations across the world. Any company that processes personal data about EU citizens whether they reside in the EU or elsewhere in the world will need to abide by the GDPR. According to a global study by Veritas: 56% of respondents in Singapore, 37% in the US and more than 60% in Japan and South Korea, are worried they will not be able to meet the May 2018 deadline for compliance.
The scale of implementing this change is daunting – but with just under a year to go until the GDPR becomes law, B2B marketers should take action now or risk being fined thousands of pounds!
What is the EU GDPR?
Officially known as the Directive 95/46/EC the legislation is part of the EU privacy and human rights law.
The aim of the new Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a ‘regulation’ instead of a ‘directive’ means it will be directly applicable to all EU member countries without a need for national implementing legislation. In addition, as the GDPR is a regulation and not a directive, it means that everyone has to comply.
What is the timescale for its implementation?
Adopted by European Parliament in April 2016, the GDPR is fast approaching and organisations will need to be compliant by 25th May 2018.
Breadth of GDPR impact:
- B2B as well as B2C
- Data processors as well as controllers
- Direct Marketing, all channels where personal data is used
- Data processing for other purposes
So as a B2B marketer, how will the new regulations affect my company?
Moving forward, brands will need to be more transparent on what they do with personal data, while individuals will have more control of their information. Marketers will be required to obtain “unambiguous” consent from individuals before using their data for marketing purposes. B2B Marketers will need to be able to demonstrate compliance – i.e. provide evidence.
Here are 12 steps B2B Marketers can start implementing today to stay ahead of the deadline:
- Communicate effectively. Everyone from the C-suite to your marketing team should be aware that the law is changing to comply with GDPR and what impact this will have on your business and how it operates.
- Information audit. To be on the safe side, you should have an internal information audit and document all the personal data your company currently holds. Where the data has come from, who you plan to share it with and what you plan to use it for – are just some of the things you need to consider.
- Review your current privacy notices. Now is the perfect time to review your current privacy notices and put a plan in place in order to make any changes required ahead of the 2018 deadline.
- Ensure you cover individual rights. It is extremely important that you have processes and procedures in place that cover all individual’s rights in the new GDPR, including how you will delete personal data or provide data electronically.
- Put in place procedures for subject access requests. A subject access request is a written request made by or on behalf of an individual for the information which he or she is entitled to ask for. You should update your procedures and plan how you will handle requests within the new timescales and be able to provide any additional information. With the new GDPR changes you will have a single month to comply with a request, rather than the 40 days available now.
- Identify your legal basis. You should look at the various types of data processing your company carries out, identify your legal basis for carrying it out and document it!
- Review your consent procedure. This is a procedure which you should already have in place, but in case you don’t you should review how you are seeking, obtaining and recording consent for all your data.
- Personal data breach. Ensure you have the right procedures in place in order to detect, report and investigate a personal data breach.
- Data Protection Officers to the rescue. New requirements brought in under the law will include the need for large companies to appoint a Data Protection Officer (DPO) – this applies to organisation with more than 250 employees. If this is you, you should think about designating a DPO within your company and see where this role would sit within your company’s structure. This individual will have the job of independently assessing the organisation’s data governance stance.
- Carry out a Data Protection Impact Assessment. Assess all current personal data processing activities or planned to be carried out. Is this personal data processing being conducted with the consent of the Data Subject The burden of proof is now on the Data Controller to show evidence of consent, which needs to be unambiguous. Information delivered in ordinary language, the time period for which consent has been given as well as the purpose for which the personal data can be used all needs to be properly recorded.
- Ensure privacy by design. This is a principle of the GDPR and must be embedded into any new personal data processing. This should be thought about early in the process to enable a structured assessment and validation. Implementing privacy by design can demonstrate compliance and create sustainable competitive advantage.
- Moving data outside the EU. With any international personal data transfer it will be important to check that the Data Controller has a lawful basis for transferring personal data to anyone on the ‘approved’ countries list. Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe not just financially but also from a reputation perspective.
From one B2B marketer to another . . .
It is extremely important to make sure that we stay up to date on all the latest news when it comes to personal data regulations – there’s no shortage of information on the DMA website and good courses are out there, so let’s invest our time wisely and learn more in order to become compliant.
Author: Sylvia Laws, Managing Director, Technical Associates Group