GDPR sounds complicated and scary, but at its core are some very simple principles.
Share this article
Compliance is, and has always been, a tricky business. Navigating the labyrinthian ins-and-outs of your region’s regulations is a time-consuming challenge, requiring both expertise and focus.
Nowhere is this clearer than in the impending implementation of General Data Protection Regulation – more commonly known as GDPR – with research revealing that only 40 per cent of UK organisations are actually aware of the regulation, despite the fact that it will become law within only a few short months.
And even for those that are aware of GDPR, there is still much confusion over the regulation’s new rules; the number of businesses that felt they were on track ahead of the change dropped from 68 per cent to 55 per cent once they realised the full scope of the changes following recent guidance provided by the Information Commissioner’s Office (ICO).
A clearer focus
However, despite its reputation, GDPR is not as complex or challenging as it first seems. Data protection is not a new concept and GDPR is merely the latest iteration, replacing the twenty-year-old Data Protection Directive.
What is different, is the extent of the protection offered – with GDPR safeguarding the privacy of every EU resident and citizen regardless of where the data is collected, stored, or processed.
The new regulation also ups the stakes for non-compliance – giving the EU the power to impose hefty fines up to €20 million or 4 per cent of annual global turnover, whichever is larger.
Data, data, data
The new regulation reflects the increasing value that is being placed on consumer data – with organisations doing all they can to gather information about their potential customer base.
And with a steady stream of data breach stories hitting the first front pages of the papers, GDPR aims to quell consumer fears over how their data is being stored, shared and used. In fact, nearly three quarters (71 per cent) of consumers believe brands and marketers are using their personal data unethically – a worrying perception given how much data organisations hold on them.
With consumer rights at its heart, GDPR offers comprehensive guidelines on how organisations can correctly and responsibly handle data at every stage. For marketers specifically, one of the key requirements should be to adhere properly to the ‘consent’ of the consumer.
Under GDPR, ‘consent’ is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Businesses will therefore need to, first, inform individuals of exactly how they plan to use their data, and then, secondly, ensure they get clear, unmistakable permission to do just that.
A closer look
To understand this in more detail – at least for the benefit of a marketer – it’s necessary to take each condition of consent as set out in the text of GDPR:
- “Must be freely given”
Consumers should have genuine choice and control over how an organisation uses their data, and consent must be unbundled from other terms and conditions. In the words of the ICO, “consent cannot be a precondition for a service unless it is necessary to deliver the service.”
Organisations must clearly explain exactly what people are consenting to in a way they can easily understand; no legal mumbo jumbo - unless of course you are targeting solicitors!
The request for consent must be detailed: organisations should clearly identify themselves as the data controller, clarify each processing operation they will be performing and collect separate consent for each (unless this would be “unduly disruptive or confusing”). Finally, organisations must describe the reason behind each data processing operation and notify people of their right to withdraw consent at any time.
It must be clear that the person has consented and what they have consented to with an affirmative action (i.e. no pre-checked boxes). Nothing can be presumed; therefore, silence would not be a valid form of consent.
As well as those detailed above, it’s also important to take note of individuals’ rights, such as the ‘right to be forgotten’, where the data subject will be able to have all their personal data deleted (i.e. ‘forgotten’) when they no longer want to have a relationship with a brand.
By going down the route of consent, marketers and businesses can look to ensure a more fulfilling and informative relationship with their customers. And though GDPR does more tightly define what constitutes consent under the law, an honest and transparent approach has been hailed as best practice for many years – it’s just now that businesses are, by law, obliged to comply.
It’s also important to note that, when using consent as a legal basis, organisations must be able to demonstrate if – and when – consent was given. Reviewing the systems and process you have in place for recording consent is also imperative, particularly to ensure you have an effective audit trail.
Preparing for GDPR is no easy feat. But for those looking specifically at consent compliance, the need to ensure your organisation has proper consent from its customers cannot be stressed enough. Lastly, and by no means least, as with all things GDPR, ensuring everything is properly documented is vital.