What the new EU General Data Protection Regulations (GDPR) means for B2B marketers selling into Europe
The EU has settled on the final text of its General Data Protection Regulation (GDPR) after four years’ debate. The GDPR will change the way businesses use data across all EU member countries. The scale of implementing this change is dauntingly huge - but with two years before the GDPR comes into force, now is the time for B2B marketers to look at how they are handling personal data and start to adapt to the changes that are required. So, what are the basics for the new regulations?
What is the EU GDPR?
Officially known as the Directive 95/46/EC the legislation is part of the EU privacy and human rights law.
The aim of the new regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a ‘regulation’ instead of a ‘directive’ means it will be directly applicable to all EU member countries without a need for national implementing legislation. In addition, as the GDPR is a regulation it means that everyone has to comply.
What is the timescale for its implementation?
The GDPR becomes law on 25 May 2016, and then come into force on 25 May 2018.
Which companies will be affected?
Initially the regulation will affect those with more than 250 employees processing over 5,000 records per annum. Although, in time small enterprises of all sizes and record throughput will come within its scope. The timetable for this extension is not yet clear. Importantly, businesses based outside the EU will also be affected by the GDPR if they operate inside the EU, extending its reach to a global level.
And irrespective of 'Brexit', any UK organisation doing business in the EU will need to comply with the GDPR.
So as a marketer, how will the new regulation affect my company?
Moving forward, brands will need to be more transparent with what they do with personal data, while individuals will have more control of their information. Marketers will be required to get “unambiguous” consent from individuals before using their data for marketing purposes.
What do I need to do?
Here’s a list of actions B2B marketers can start implementing ahead of the deadline:
1. Communicate effectively
Everyone from the C-suite to your marketing team should be aware that the law is changing to comply with GDPR and what impact this will have on your business and how it operates.
2. Information audit
To be on the safe side, you should have an internal information audit and document all the personal data your company currently holds. Where the data has come from, who you plan to share it with and what you plan to use it for – are just some of the things you need to consider.
3. Review your current privacy notices
Now is the perfect time to review your current privacy notices and put a plan in place in order to make any changes required ahead of the 2018 deadline.
4. Ensure you cover individual rights
It is extremely important that you have processes and procedures in place that cover all individual’s rights in the new GDPR, including how you will delete personal data or provide data electronically.
5. Put in place procedures for subject access requests
A subject access request is a written request made by or on behalf of an individual for the information which he or she is entitled to ask for. You should update your procedures and plan how you will handle requests within the new timescales and be able to provide any additional information. With the new GDPR changes you will have a single month to comply with a request, rather than the 40 days available now.
6. Identify your legal basis
You should look at the various types of data processing your company carries out, identify your legal basis for carrying it out and document it!
7. Review your consent procedure
This is a procedure which you should already have in place, but in case you don’t you should review how you are seeking, obtaining and recording consent for all your data.
8. Personal data breach
Ensure you have the right procedures in place in order to detect, report and investigate a personal data breach.
9. Data Protection Officers to the rescue
New requirements brought in under the law will include the need for large companies to appoint a Data Protection Officer (DPO) – this applies to organisation with more than 250 employees. If this is you, you should think about designating a DPO within your company and see where this role would sit within your company’s structure. This individual will have the job of independently assessing the organisation’s data governance stance.
10. Carry out a Data Protection Impact Assessment
Assess all current personal data processing activities or planned to be carried out. Is this personal data processing being conducted with the consent of the Data Subject The burden of proof is now on the Data Controller to show evidence of consent, which needs to be unambiguous. Information delivered in ordinary language, the time period for which consent has been given as well as the purpose for which the personal data can be used all needs to be properly recorded.
11. Ensure privacy by design
This is a principle of the GDPR and must be embedded into any new personal data processing. This should be thought about early in the process to enable a structured assessment and validation. Implementing privacy by design can demonstrate compliance and create sustainable competitive advantage.
12. Moving data outside the EU
With any international personal data transfer it will be important to check that the Data Controller has a lawful basis for transferring personal data to anyone on the ‘approved’ countries list. Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe not just financially but also from a reputation perspective.
Final thoughts from one B2B marketer to another . . .
It is extremely important to make sure that we stay up to date on all the latest news when it comes to personal data regulations - there’s no shortage of information and good courses out there, so let’s invest our time wisely and learn more in order to become a much more valuable marketer.
Sylvia Laws, Managing Director, Technical Associates Group