GDPR is nearing, but a lot of businesses remain in the dark about handling data - here's what you need to know.
Share this article
GDPR (General Data Protection Regulation) comes into force on the 25th May - “the biggest change to data protection law for a generation” according to Elizabeth Denham, the UK Information Commissioner and head of the ICO.
A recent poll suggests 39% of companies worry non-compliance could lose them staff - or worse – put them out of business. While much has been written about what GDPR is (including its €20m fines) and what you need to do to prepare, there are still areas without ICO guidance. Here we examine three of the key unknowns.
The chief concerns relating to GDPR and its effect on business - source poll of 900 businesses by DMA, announced April 2017.
GDPR and consent: brand vs sector
This is an area around consent where urgent clarification is needed.
European GDPR law states it should be at sector level. For example, a customer can say they’re happy to hear from a charity but not financial services. Therefore, if you collect and sell your data (or work in different sectors) you need to factor this in. Similarly, you should ensure your marketing agency knows this.
The ICO may take this even further for the UK. They’ve hinted that consent should be at brand level. For example, a consumer can say they’re happy to hear from Company X but not Company Y.
To add another layer of complexity, you’ll need to re-consent for new customers. This will severely limit the ability of any organisation to monetise their data.
Definitive guidance is still needed if companies are to plan how to comply with the incoming regulations. Especially if they’re looking at new ways to monetise their data. Unfortunately, this is unlikely to come until the end of the year.
In the meantime, we’re helping our customers prepare for both scenarios. To be safe, we’d recommend your organisation does the same.
GDPR comes with heavy fines, but not a great deal of clarity
The UK’s businesses are having to face facts - most potential customers don’t sign up when they see a tick box. Furthermore, even fewer tick when it’s away from the T&Cs box. An active opt-in is just not very appealing.
Under GDPR, there are several alternatives to consent:
· You have a contract with the individual
· There are legal obligations
· It protects someone’s life
· It’s in the public interest
· There is a legitimate interest
What is legitimate interest though? Currently, it’s a bit vague.
It includes commercial benefit (provided it doesn’t harm the individual’s rights and interests). If you can justify that, to operate, there’s a legitimate interest in communicating with existing customers, you can do so without an opt-in. Consequently, you must still provide the option to opt out.
However, legitimate interest isn’t a simple way to avoid GDPR. It needs to be demonstrated and well documented. If you’re unsure, talk to an expert. This will be much cheaper than the cost of non-compliance.
Historical data: it’s in the past – does it matter?
Still with us? It’s about to get tricky.
Feedback from our customers suggests that the use of historical data is the most complex part. For new data, GDPR / ICO rules are about getting processes in place and are ‘relatively’ straightforward. What about existing data though? Do you really need to re-consent it?
The ICO has issued guidance - more draconian than GDPR – which enforces stricter rules on data collectors about the types of consent they collect.
What happens to old sign-ups?
The ICO did undertake a consultation process which found the guidance to be unreasonable and uneconomic. This process has finished and we’re waiting for clarification (it’s not clear when this will be published).
Additionally, ICO documentation says if require consent to process data (that doesn’t meet the GDPR standards) you can either “alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.” These are legitimate interest (see above).
Theoretically, these options are for 1st-party data only. However, some have said you may be able to rely on legitimate interest for direct-mail (provided an opt-out). This is only if a very clear description of how you’re going to use the data is included. The equivalent for online is a soft opt-in.
Our advice: if you’re using legitimate interest / soft opt-in, weigh up the importance of multiple factors and document your considerations. Remember, if it’s debatable to you - it will to the ICO. Err on the side of caution.