Monthly Archives: May 2018

The EU’s General Data Protection Regulation (GDPR) compliance date is rapidly approaching (May 25, 2018).  Recent surveys show that less than 60% of UK businesses will be ready for the new GDPR regulations with that number being even lower for  businesses outside of the UK.  Computer Weekly reports that almost 80%of US firms will be affected by the new GDPR standards and penalties. 

The GDPR does not just apply to European businesses, it applies to to anyone that has a singe contact in their database that resides in the UK.  So, should you be worried? The bottom line is the GDPR will likely affect the way you do business and you must be aware of the new GDPR regulations and prepare for them.

This post is designed to give you the basics and requirements of the GDPR.  

What is the new General Data Protection Regulation

The GDPR is a regulation in the EU covering privacy for all individuals within the European Union.  The GDPR addresses the export of personal data outside of the EU.  The GDPR is designed to give EU residents control over their personal data and to simplify the regulations for international businesses.

The reform is designed to bring laws and regulations around personal data, privacy and consent up to speed to truly reflect the new internet age we live in.

Under the GDPR, organizations and those that collect and manage personal data must ensure that the data is collected legally and under strict conditions as well as respect the rights of the owners of that data(the individual).

Who does the EU GDPR apply to?

The GDPR applies to organizations that handle personally identifiable information on European citizens.  This not only applies to companies in Europe>  If you deal with or are storing data on individuals that reside in the EU, this applies to you.  

If you happen to be a business outside of the UK or EU, you may be thinking that this does not apply to you.  Think again.  The GDPR DOES APPLY to non EU/UK based businesses and with the cooperation of local authorities will enforce the regulation on you.

As you dive into the regulation, it identifies two types of data-handlers, processors and controllers. dohProcessors are the entity that processes data on behalf of the Data Controller.  

The Controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data controller determines the purposes for which and the manner in which personal data is processed. It can do this either on its own or jointly or in common with other organizations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.

The data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

In simple terms, you as a business owner are more than likely the controller and the Marketing solutions, CRM you use etc. are the processor.

What type of data is considered personal data under the GDPR?

The types of data considered personal (PII, Personal Identifiable Information) under the GDPR include: name, address, IP address and photos.  It also includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual.

How does the GDPR affect you?

GDPR establishes one law across the continent and a single set of rules which apply to companies doing business within EU member states.. This means the reach of the legislation extends further than the borders of Europe itself, as international organizations based outside the region but with activity on 'European soil' will still need to comply.

GDPR guidelines state that an entity can face fines of up to 20 million Euros or 4% of their Global Annual Turnover (AKA “revenue” in the U.S.), whichever is greater. That is speaking in maximum fines and as of now, there does not appear to be guidance on specific amounts for violation types as of yet. 

Types of violations include: infringements of the rights of the data subjects, unauthorized international transfer of personal data, failure to report a breach, and failure to put procedures in place for or ignoring access requests for their data.

What do you need to do prior to May 25th?

1.  Understand the law: Know what your obligations are under GDPR as it relates to collecting, storing, and processing data.

2. Create a Data Map: Document your data flow.  Identify your data sources and what information can be found in each.  You will need to to Determine the following:  

• What data you hold, where it came from and whom you share it with.  
• What Information you have on UK/EU residents.
• Which third party service provides you use and ensure they are compliant with GDPR

Once you have determined the above, you will need to update your privacy policies to ensure they address and comply with the GDPR

3.  Gain Explicit Consent: Consent needs to occur for marketers and business owners on 2 fronts.  First you need to gain proper consent on all new opt-ins into your system. This goes for Lead Generation as well as sales.  If you operate a E-Commerce business, you will want to garner consent to market on your order forms in order to follow up with marketing other.  Consent needs to be obtained for\r both new contacts as well as your existing Database.  Yes, this does mean you should re-permission and clean your database.  Here are guidelines for what the GDPR considers consent:

• Contain a clear statement of consent using plain english that is easy to understand
• Be separate from any other terms and conditions
• Explain why you want the data and what you will do with it
• Require a positive optin (no pre-checked boxes)
• Name third party controllers that will rely on consent
• Explain how the contact may withdraw consent (opt-out or be forgotten)
• Avoid making consent a pre-condition of service

4. Update your privacy policies: Your privacy policies need to be updated to reflect the new GDPR regulations.  these policies should be clear and easy to understand.  they need to cover exactly what data you collect and how you use it.  this includes not only the obvious PII (name, email etc) but also cookies, pixels, tracking mechanisms and even affiliate links.

What Else Should I be aware of?

To dive in and learn everything there is to know about the GDPR, check out the link here to the EU GDPR Website.

P.S. We are not lawyers and this should not be taken as legal advise, but as guidelines as to what you need to know and what you need to do to be prepared.

​

May 25th 2018 is rapidly approaching and the new General Data Protection Regulation (GDPR) will be going into effect.  The big question is are you prepared and more importantly is your historical data prepared?

But wait a minute, I thought the GDPR only applies to new contacts.  That thinking would be incorrect.  the GDPR applies not only to new contacts in your database but to your existing database as well.

Here are 9 reasons why you will NOT be able to use your existing database to market after May 25th 2018 when the GDPR takes effect.

1. You did not receive explicit consent nor did you specify what marketing messages the contact will be receiving.
2. You did not provide or cannot prove that you provided a clear explanation of how the data would be processed.
3. You did not provide or cannot prove that you provided the contact details and identity of the controller.
4. You did not provide or cannot prove that you provided the details of any recipients of the data including any third party systems where data is stored e.g. cloud-based email marketing or CRM systems, email providers, cloud storage providers.
5. You did not provide or cannot prove that you provided the details of any countries to which the data will be transferred. It is often the case that data will reside on servers in other countries especially when using cloud service providers including those above.
6. You did not provide or cannot prove that you provided the retention period of the data or the criteria used to determine the retention period.
7. You did not provide or cannot prove that you provided the existence of the data subject’s rights (e.g. the right to be forgotten, the right to object, the right to data portability etc).
8. You did not provide or cannot prove that you provided the right to withdraw consent at any time if relevant.
9. You did not provide or cannot prove that you provided a statement about the right to complain to the Data Protection Authority.

When it comes to data and housing data on individuals in the EU and UK, the game has definitely changed.  The good news is that there are steps you can take now to remedy this situation!  

Here are 3 steps to take to get your self on the path to compliance now.

1. Update your website pricy policy, cookie policy and terms and conditions.
2. Update all of your lead capture forms.  (set clear expectations of what they are receiving and provide an uncheck checkbox for them to give consent)
3. Document your data flow and track what the subscriber gave consent to at opt-in
4. Get your data cleaned.
   1. Identify in your database all EU and UK contacts (there are services that can help you do this).
   2. Launch a campaign to those identified and non identified contacts to generate explicit consent to market.

The GDPR is here and is not going anywhere.  Data protection and privacy is definitely a hot topic right now, not only for the EU/UK but globally.  You need to take data privacy seriously as I estimate it will only be a matter of time until other countries like the US follow suit and launch new privacy laws.

Set the example with privacy rather than be made into the example!

Check out https://fundamental.marketing/services/gdpr/ to learn more about getting your data ready for GDPR.