Warnings about the General Data Protection Regulation (GDPR) have been hurled around in the past year like weapons. This EU regulation comes into force in May 2018 and will undoubtedly change the data protection landscape forever. However, while the GDPR is certainly going to make an impact, for marketers, complying with its requirements is much less onerous than many people think.
Very basically, it requires data controllers to effectively implement data-protection principles and to integrate data processing safeguards. It also sets a standard for the volume of personal data collected – restricting this to only what is necessary for the purpose of the processing. This could be even more succinctly summed up as putting in place measures to minimise data processing and only processing and storing the minimum data necessary.
For the first time in data protection regulations affecting the UK, the GDPR introduces the concept of privacy by design. This is an approach to projects and planning that incorporates privacy and data protection considerations from the very start. It shifts the focus from reactive data protection to a requirement to take proactive and pre-emptive measures. It is also the first piece of law that seriously increases the penalties for not properly protecting data. In years gone by data protection fines were so low that most businesses just risked them. Now with fines topping £17 million, or 4% of turnover for the previous year that risk is no longer worth it.
For those in the marketing world the changes to consent are one of the most significant parts of the GDPR. Some of the points to note for those sending out marketing communications include:
Consumers will now have a right to access and remove data under certain circumstances. For example, data that has been unlawfully collected, data collected when there was no legitimate reason for processing that person’s information and data where consent to data processing has been withdrawn. For many businesses the tricky issue is how to work out how to keep track of what the status of data is and to ensure that any communications that create a request to be forgotten are complied with. That’s what must be tackled before May 2018.
The GDPR requires a pretty significant attitude shift to personal data, which for years has been viewed by many businesses as theirs to manage and handle as they choose. The reality is that the chances of compliance will be significantly improved with the right attitude:
And finally, start developing a bit more respect for user privacy. We have become used to feeling as if we have a right to consumer data but that kind of approach could soon become very costly indeed.
Author: Steve Pailthorpe - Follow us on Google+