Data. One of our favourite things here at Net Natives. We're always talking about how you should be collecting and maximising your data to target, engage and convert students. But are you ready for a seismic change in data protection that will affect every marketer?
This time next year, the current Data Protection Act will have been replaced with the General Data Protection Regulation (GDPR), a new law in all EU member states that will change the way organisations must collect, manage, protect and administer data. The new regulations will come into play from 25th May 2018, giving you a year to prepare to comply.
The GDPR simply aims for a greater harmonisation of data protection law around Europe. Individual's rights will remain the same, as will the general principles of data protection law, so, if you're already properly complying with the current law, you shouldn't have too many changes to implement. Even so, every marketer will need to have an understanding of GDPR and implement any changes to the way you collect, store and use data ahead of the deadline. You'll want to be aware of the key changes.
- Notification abolished - you'll no longer be required to register under the Data Protection Act with the ICO.
- Greater responsibility for compliance - instead, you'll be required to hold internal records
- Unambiguous and activity-specific consent - you must obtain freely-given consent to use an individual's data (pre-ticked boxes don't count!). You must also allow for separate consent for different types of data processing, to give individual's more control over what they're consenting to.
- Free subject access - there will no longer be an administrative fee for individuals who wish to request a copy of the data held about them by an organisation
- Greater overseas reach - with a single legislation covering the entire EU, organisations can easily operate across Europe safe in the knowledge that they are lawfully using data, regardless of geographical borders.
- Penalties for breach - increased fines for data breaches will be introduced with the GDPR. This could be up to 4% of your annual turnover, or 20 million Euro, whichever is greater.
- Clearer policy required on data retention - you may now only retain information whilst you can justify using it.
- Greater responsibility for data processors - those who process data (us) on behalf of the data controller (you) have direct obligations for the first time.
- Risk-based approach for "sensitive" data, including Data Protection Impact Assessment
- Greater technical security requirement -marketers should build in confidentiality and security by design
- Mandatory data breach reporting - there is a new duty on organisations to report certain types of data breach if they occur.
It's an EU law, so what about Brexit?
The law is going to apply to any organisation that is either a Data Controller or Data Processor and collects data of EU citizen. Regardless of Brexit, the UK will have to comply with GDPR while it continues to be an EU Member State, and afterwards, when processing data relating to EU citizens. The Information Commissioner has said that any subsequent UK law will need to be "equivalent" to GDPR, so it's vital to start reviewing and adapting your data processes for GDPR compliance over the next twelve months.
Basically, if your organisation collects data from someone in Europe either directly or through a third party provider, it is your responsibility to to comply by the rules of the GDPR 2018.
By taking part in our GDPR Confidence Survey, you'll be able to benchmark your own feelings on GDPR compared to other marketers in the sector and be amongst the first to receive our whitepaper on the subject.
We're also running a webinar on Thursday 3rd August, with lots of takeaway tips, insights and conversation designed to help you be more aware of the issues around GDPR and how you can get ready in time.