What are the new EU laws on data protection?… and how do they affect your business?
The General Data Protection Regulation (GDPR) is coming into force on 25 May 2018 and is the European Union’s new data privacy law. So why should you be bothered? GDPR affects all businesses, large or small, with customers in the EU. If you fail to comply you risk substantial financial penalties. This article aims to highlight some of the issues involving marketing.
What is GDPR?
GDPR covers the processing, for example, the collection and storing of ‘personal data’ of individuals within the EU.
What is ‘personal data’?
This is any data which can be used directly or indirectly to identify a person; including names, email, location, but also extends to IP addresses and mobile IDs.
Who does GDPR affect?
The GDPR applies to ‘data controllers’, who determine the reasons and methods of collecting the data, and ‘data processors’, who handle the data on behalf of the controller, for example, a platform like MailChimp.
How does GDPR affect your customers?
The new law gives people more control over how their data is used, it extends the rights of individuals in the EU to freely access, correct, delete and restrict the processing of their data (subject to the provisions of the GDPR). GDPR also requires transparency when collecting data; now you will need to inform customers why you are collecting their data and specify which third parties you are sharing the data with. Consent should also be an active opt-in (no default consent with pre-ticked boxes) and consent notices cannot be bundled up within other terms and conditions.
Where businesses process personal data, on the basis of consent, for example marketing purposes, then businesses must:
- make it easy for people to withdraw consent;
- record consent and how it was given;
- Inform individuals they have the right to be forgotten; and
- avoid making consent a precondition of service.
How does GDPR potentially affect marketing?
If you are a micro business or SME, you may be wondering how this affects you, as you do not do ‘big data’. However, if you have a website, then you’re probably doing something that comes under the scope of the new privacy legislation. Here are some marketing activities that you may be doing that you will need to review, particularly regarding consent and sharing personal data with third parties:
- Email newsletter databases
- Website contact forms
- Blog post comments
- Cookie notices
- Collecting business cards at trade shows
- Forum or message board
- Live Chat
Any marketing activities using electronic messages (phone, fax, email or text) must also consider the legal obligations set out in the Privacy and Electronic Communications Regulations (PECR). These regulations are in the process of being updated, and the Information Commissioner’s Office (ICO) is expected to issue further guidance on how B2C and B2B electronic marketing will be affected under the GDPR and updated PECRs.
If you are unsure about your compliance status it’s probably worthwhile talking to a lawyer. In particular, it’s important to be aware of which third parties you may be sharing data with via plugins and add-ons, whether it’s Mailchimp, Facebook ads, remarketing pixels or Google Analytics.
For further reading I recommend visiting the ICO page on GDPR regulations to understand your responsibilities as a ‘data controller’ and/or ‘processor’.
I’m a marketer not a lawyer and this blog post does not constitute legal advice. If you are unsure about GDPR compliance or PECR, it would be a good idea to consult a lawyer. I’d like to thank Dr Julie Nixon, a legal expert on IP protection at law firm Morton Fraser, for her help with this article.