After endless discussions and debates, the EU’s forthcoming data privacy legislation – the General Data Protection Regulation (GDPR) – will finally be implemented on 25th May this year. With stricter rules and heavy financial penalties for non-compliance, the GDPR is a significant step forward for data privacy and consumers’ rights. While this change has been greeted with positivity by regulators and consumer rights advocates, its looming enforcement is a source of concern for many marketers.
Indeed, many SMEs are mired in fear, uncertainty and doubt. There is much confusion over the new rules; the number of businesses that felt they were on track ahead of the change dropped from 68 per cent to 55 per cent once they realised the full scope of the changes following recent guidance provided by the Information Commissioner’s Office (ICO).
It is easy to think of the GDPR as punitive, draconian measures or at the very least anti-business – instead it is better viewed as an opportunity, giving SMEs the guidance they need to be better data stewards. This will lead to deeper customer relationships and a distinct commercial advantage.
Of course, in order to take hold of this opportunity, SMEs must get to grips with the legislation, understanding what is being asked, and most importantly, why. Here are five considerations of which all SMEs should be mindful:
Even for lawyers, legal regulations can be difficult to decipher – and interpreting the specifics of the GDPR is no different. A complex and multi-faceted regulation, understanding its intricacies is particularly vital and SMEs will need to ensure the right documentation and processes are in place to help demonstrate compliance. Importantly, the ICO and the DMA are available to answer questions, so do use them as a resource.
While SMEs will not have anywhere near as much data as other, larger organisations, they will still be accountable for whatever they store – no matter how little. If the ICO does visit, it should be ensured beforehand that all data is ferreted out and clearly documented with when, how, and why it was obtained; what you are going to do with it and how long you are going to keep it.
The GDPR is a big win for citizen rights, with more comprehensive outlines dictated on how their data should be handled.
One of the key changes is found in the ‘right of access’, which has expanded considerably and is now required to be free of charge. There are new rights as well, such as the ‘right to be forgotten’, where the data subject will be able to have all of their personal data deleted (i.e. ‘forgotten’) when they no longer want to have a relationship with a brand. With all of the individual rights enshrined in the GDPR you should think about what processes you will to accomplish this.
Transparency is paramount: being open and honest with the people who give you their data about what you are collecting, why you want it, how you will be using it and how you will take care of it is a core principle of GDPR.
GDPR defines six different legal bases for processing data. The two that most marketers will rely on are legitimate interest and consent. A lot has been written about marketers relying on consent, but SMEs should not overlook legitimate interest. First, the regulations make clear that all the legal bases are equal and that none outweighs the other.
Secondly, consent is an objective legal ground; in other words, black and white – either you have it or you don’t. Legitimate interest on the other hand is a subjective legal standard, totally dependent on the situation. SMEs would take a risk based approach to determine if their legitimate interest to market to an individual does not infringe on that individual’s rights under the regulations. SMEs should not think that this is by any means an easier standard to achieve, but rather it allows them to take all business factors into consideration.
These are of course just a few points that should be considered – for a more comprehensive outline of the law please do visit the ICO or the DMA, both great resource for further information on how to get ready.
Many SMEs may happily find they are already working in compliance with the regulations, and many more will find that only small tweaks are required to ensure they are in line with new requirements. After all there is very little in the GDPR which has not been talked about as best practice for years. As with any opportunity, grasping it can be a challenge, but for SMEs the two golden rules of the GDPR should serve them well in their wider approach: keep the customer’s rights at the heart of operations, and document everything.
By Skip Fidura, Clients Services Director, dotmailer
The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.
Pre-registration for DPWF 2019 will be opening in the coming weeks.