What is GDPR?
GDPR, which stands for General Data Protection Regulation (Regulation (EU) 2016/679), was developed by the European parliament and comes into force on the 25 May 2018. The new regulation is designed to simplify and unify data protection laws across all countries in the EU, and to offer better protection for individual EU citizens.
GDPR applies to any organisation which holds or processes information about residents of the EU, even if they are based elsewhere – for example, companies in the United States or China. In the UK, the rules will also still apply following Brexit, with the government planning to introduce a data protection bill which will closely mirror the GDPR regulations.
Why was GDPR introduced?
The way organisations gather and process data has changed dramatically in recent years and GDPR aims to bring existing legislation – such as the Data Protection Act – up to date. The objective being to give individuals far more control over their personal data and how it is used. Under the new legislation, any business that processes data unlawfully risks being hit with a substantial financial penalty – one far higher than anything previously faced. The maximum fine being £20,000,000, or 4% of worldwide annual turnover, depending which is higher.
A common misconception around GDPR is that it doesn’t permit businesses to process personal data, or you may have heard that specifically you need ‘consent’ to process personal data. This is not strictly correct. The GDPR is there to protect and control the use of personal data, but it is not intended to hinder business or industry, the intention is to ensure businesses consider the rights and freedoms of their data subjects.
Example: Consider the police force, they have a necessary requirement to process personal data in the interest of public safety, they of course could not seek consent from their data subjects before collecting and processing the data, otherwise it could compromise the case! GDPR applies across all industries and therefore, it is logical that there are actually six lawful basis that an organisation can collect, process and store data.
The six lawful basis are as follows:
The ICO specifically mentions direct marketing as an area that could be deemed necessary to leverage legitimate interest, it mentions that the processing must be in a targeted and proportionate way of achieving your purpose, and the organisation should also consider whether there is another reasonable and less intrusive way to achieve the same result.
The ICO recommends conducting and documenting three tests when looking to leverage legitimate interests:
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?
Consent for a specific purpose
For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. Here, you must always offer very specific options, so that you get separate consent for separate actions. If services are being offered to children, then parental consent will be a requirement. In any cases where consent is difficult to obtain, you must look for a different lawful basis for your data processing.
You can lawfully process data if you have a contract with the individual and you need to process their personal data in order to comply with your contractual obligations. This option will also cover you if you don’t yet have a contract, but have been asked to do something that requires you to process their personal data, such as producing a quotation.
Controller bound by legal obligation
You can also process personal data if you are required to do so to comply with a common law or statutory obligation. This doesn’t however apply to contractual obligations. If you can reasonably comply with a law without processing personal data, then this basis won’t apply. If you do use this lawful basis, then you must document your decision and the justification for your reasoning, including details about the specific law or guidance concerned.
To protect vital interests
This will only apply to organisations who are required to process data to protect someone’s life. For example, if you are providing emergency medical care. Even in these cases, if the individual is capable of providing consent, then it must be sought.
Public interest or official duty
This lawful basis allows you to process personal data if the task is in the public interest, or if you are required to perform a function that has a clear basis in law.
What Constitutes Personal Data?
Offering greater protection for personal data lies at the heart of the new regulation, so you firstly need to understand what constitutes personal data under GDPR. As the processing of any personal data falls under its remit, organisations operating a B2B, B2C or business-to-employee models will all have the same obligations.
What is classed as personal data?
Identifying information – This includes any information that can be used to identify a person (either directly or indirectly), including name, identification number, email address, bank details and an IP address, etc.
Sensitive personal information – This includes genetic data, or information around health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination
So What’s Different About GDPR?
GDPR is nothing new, it is an evolution of existing policy. Anyone who is already complying with the Data Protection Act, should be some way down the road towards compliance. There are, however, some key points that differ from the existing legislation. These changes are designed to ensure that EU residents have far more control and understanding over how, when and why their personal data is being used. There are also some subtle enhancements to existing rules. For example, even though individuals have always been able to make information requests to see what data a company holds on them, it is now a legal requirement that these requests are handled free of charge. So, when your business collects, processes or stores personal information, you must ensure:
It is processed lawfully, fairly and in a transparent manner
The data is processed for a specified, explicit and legitimate purpose
All information held is relevant
All data is accurate and up-to-date
You do not keep data for any longer than necessary
Information is handled and processed in a way that maintains security
Consent has been obtained for any new and existing data that you hold or process
You have a lawful basis for processing the data
What are the key differences between GDPR and the Data Protection Act 1995?
Companies will be held far more responsible for the data they hold and process
Fines for breaching GDPR and the misuse of personal data have been drastically increased. The maximum fine under GDPR is now either £20 million or 4% of worldwide turnover, depending which is higher
If an individual can potentially be identified by a pseudonym, username or other unique handle, then their data will now be protected under the updated regulations
Sensitive personal data now includes genetic and biometric data
Consent was previously defined as “the data subject has given consent to the processing of data”. Under the new regulations, this now means “the data subject has given consent to the processing of data for one or more specific purposes”
GDPR also brings in additional protection for children’s personal data, particularly for commercial internet services such as social networks. They will now require a parent/ guardian’s consent to process data of a child under 16 years old (although this may be lowered to 13 in the UK). This consent must be recorded, verifiable and written in a language that children will understand.
Further Information Regarding Legitimate Interests
Of the six lawful basis specified under GDPR, ‘legitimate interests’ is the most flexible. However, there are some strict guidelines around its use. Data can be processed in the legitimate interests of the data controller (or a third party) and that can include the personal or business interests of yourself or a third party. The key exception is where such interests are overridden by the interests or fundamental rights and freedoms of the data subject – especially if that subject is a child.
The process of direct marketing is detailed as a potential use of legitimate interest, but this shouldn’t mean it is taken as a free pass to do whatever you want. Processing under this basis places additional responsibility on the organisation to consider and protect each individual’s rights and interests. Data processing must be proportionate, targeted, have the smallest possible impact on the individual and not require consent under the Privacy and Electronic Communications Regulations (PECR) which focuses on additional protection for consumers. Here is a basic checklist of the type of questions that need to be considered:
Have you identified a legitimate interest?
What are you trying to achieve? Is this method necessary to get these results, or are there less intrusive methods available?
What is the benefit of the data processing and what would be the impact if it didn’t go ahead?
Are the data subjects’ rights being balanced correctly against your own?
Is the data you are looking to process sensitive or private? Are you processing the data of children or vulnerable individuals?
Have you included suitable safeguards to ensure the data is protected? (if not, what can you put in place to minimise impact and risk?)
In a nutshell, legitimate interest only applies if the processing you wish to carry out is deemed necessary. By this meaning it is proportionate, targeted and that the same result couldn’t be achieved through any other, less intrusive means.
What is a Legitimate Interest Assessment?
If you decide to use legitimate interest as a lawful basis, then a Legitimate Interest Assessment (LIA) must be completed in all cases. A LIA is basically a risk assessment that aims to ensure you’ve gone through a comprehensive decision-making process and have balanced your own interests against those of the data subject. There isn’t a standard format that you must follow, however you must clearly show that you have considered everything and can justify the outcome reached. Your LIA must be constantly reviewed and updated whenever there are any significant changes in the nature, purpose or context of the processing you are undertaking, to ensure your new purpose still complies. If there is a conflict, it is still possible for your interests to prevail, as long as there is clear justification.
Remember to keep a record of all LIAs you complete, as you’ll need to demonstrate compliance and to prove that you have fully weighed up personal interests and potential effects. This will be vital evidence, especially if a data subject is to complain or raise a query.
The right to be informed
The right of access
Data subjects can request a full copy of the information your business holds about them at any time. You are obliged to provide this in a commonly used electronic format and this must be provided within 30 days of receiving the request. Whilst you have the right to refuse any requests that are deemed deliberately unfounded or excessive (particularly if they’re repetitive or in quick succession), you must tell them you are doing so within one month, and at the same time informing them of their right to complain to the supervisory authority or take legal action.
The right of rectification
If at any point an individual finds the information you hold on them is incomplete or incorrect, then they can request that you rectify it. These changes must be made within one month.
The right to erasure
The individual has a right to have their personally identifiable information deleted completely from your system on request. This is also known as the ‘right to be forgotten’. It is important to know the difference between erasure and opt out. In order to opt out, your organisation will need to retain some personally identifiable information. For example in email marketing, to ensure suppression of opt outs organisations will have to keep a database of all email addresses that do not wish to receive email communication. If a request for erasure is received, the data subject is effectively asking for all data that is held to be removed – including any data held on suppression files. The result of this could be that in the future, if data is erased that it could be added again, however if it is permitted to be suppressed, the business is in a position to be able ensure any future email correspondence is suppressed. Organisations should look to manage the expectations of requests to ensure that the data subjects understand the difference between erasure and suppression.
The right to restrict processing
An individual can object to you processing their data for any task they wish. While you must abide by their wishes, you can continue to hold data that does not conflict with their request. An example of this would be in email marketing when a person requests to opt out.
The right to data portability
If someone has willingly provided their information to you, they also have the right to request that you transfer this data to another organisation, in a standard electronic format. If this service is requested, you must comply within one month, free of charge.
The right to object
Individuals have the right to object to any form of data processing and marketing, at any point, including to retract consent they have previously given.
Right to object to automated decision making
To protect individuals from potentially damaging decisions being made by automated systems, users can request the manual intervention of a human. Any systems you currently have need to be updated, to allow cases to be referred to decision makers that can speak to the user directly in the case of a dispute.
In summary, individuals are being given far greater control over their data and the onus is on organisations to ensure these rights are met in a timely manner (typically being one calendar month from the date of a request).
In the past, marketers would traditionally have tried to gather as much information as possible about potential customers, to better understand and target them (profiling). But under the new GDPR rules, marketers will only be allowed to gather the information that is required to fulfil the purpose of the data processing. Any information gathered must be relevant and targeted, to be considered legally justified.
This means, for example, that if you run a competition or campaign to gather data, it can only be used for the purpose initially agreed.
If you gather information which is deemed unnecessary, or are found to be using data for purposes other than it was given, then you could be in breach of GDPR rules and find yourself on the receiving end of a hefty fine.
In the B2B world, marketers will be able to leverage ‘consent’ or legitimate interest’ as a lawful basis for processing. Emails that target a B2B audience and which leverage a segmented target database are likely to be able leverage ‘legitimate interests’ as the reason for collecting and processing data.
For example, if an organisation sells HR Software, and sends an email about the HR software to HR Managers at their business email address, it could be feasible that the recipient would be interested in the software based upon their current job role, which could be deemed as a legitimate interest. If however, that same HR Manager becomes the Sales Manager, the individual is unlikely to still be interested in HR software and therefore the need for businesses to keep data up-to date and current is critical.
Regardless of who you’re sending your email to, you must never conceal your identity and must always clearly identify the marketing context of the message itself. Each email or message needs to provide clear information about how to withdraw consent, which must be simple to do.
The Opportunity Presented by GDPR
At first glance, these new rules may seem like a headache for marketers, but it’s not all doom and gloom. The reality is, that marketing will adopt a data first mentality, and the importance of safeguarding the interests of the data subjects with be front of mind – which can only be a good thing! Marketers will be encouraged to think about how they are handling data, what they are using it for and why they are using it? And, should look to document their thought processes and rationale in extensive policy documentation to show effective due diligence. It is right that marketers adopt a more segmented, relevant approach to marketing – which should in turn actually yield a better overall result for the business whilst protecting the rights and freedoms of the data subjects at the same time. A double bonus.
Will GDPR Kill Off Sales?
GDPR doesn’t mean the end of sales!
Like marketing teams, sales teams should be looking to take a highly targeted, segmented approach contacting only those that have either consented to receive sales correspondence or those that are likely to have a well thought out legitimate interest in the product or services being sold. Sales professionals need to take heed of the right to withdraw consent, and therefore an effective CRM system is a must to ensure that sales professionals can centrally log a withdraw request from a data subject.
Under GDPR control is put even more so into the hands of the individual – and rightly so. Therefore, organisations looking to overhaul their Sales and Marketing strategies as a result of GDPR should be considering:
An effective CRM system
How leads are procured
Lead Chameleon is an example of marketing and sales enablement software trailblazing in a GDPR compliant environment. Lead Chameleon identifies the visitors to an organisation’s website, fuelling marketing and sales teams with the business related contact details of people actively interested in the products and services of their organisation. Businesses can operate a marketing and sales function safe in the knowledge that their leads have pro-actively visited the business website – how much more of a legitimate interest could there be, than someone pursuing a company website?
While it’s true that GDPR is likely to impact many businesses and how they currently operate, however it also presents a great opportunity to bolster inbound marketing campaigns – a strategy that can bring new customers to you in a manner which complies perfectly with the new laws.
Disclaimer: The information contained on this site is not intended to be legal advice and should not be seen as a recommendation of any particular legal understanding in relation to GDPR compliance. It is simply an overview of the EU data privacy laws and some of the key issues that certain businesses may need to address. It should not be thought of or relied upon as legal advice. If you are at all unsure, then always seek the advice of an experienced legal team, who will be able to advise you in detail about your individual circumstances.
Further information with regard to GDPR, including the full GDPR regulation can be found at: https://ico.org.uk