In a recent online article, the Legal Correspondent for BBC News asked the question “GDPR: Are you ready for the EU’s huge data privacy shake-up?”
For many businesses the truthful answer would still be “NO.” But the worst thing is to be paralysed into inaction through not being able to fully understand the complexities of GDPR (General Data Protection Regulations). The aims of the legislation are sensible and necessary, especially in the light of the recent widely-publicised examples of data misuse and data breaches.
GDPR is the new quality standard for the retention and use of data. So like other quality standards such as for manufacturing or environmental best practice, there are compliance processes to be followed. It is important to take steps in the right direction, even if they are faltering ones at first.
Enforcing Compliance
Clive Coleman’s BBC News article emphasises the urgency of complying with GDPR, given that the regulations become law as from 25th May 2018. There is reference to the eye-watering fines that can be levied, but loss of reputation is also a major issue. Even the largest businesses can be severely damaged if they are seen to be playing fast and loose with personal data.
Most companies wish to follow the rules and support the need to protect the individual’s rights to data privacy. The ICO is the body responsible for enforcing GDPR in the UK and has an advice service for small organisations, which we have found useful.
Demonstrating Commitment
As a website development and online marketing agency, BBI Brandboost is affected both as a controller and processor of business data. Our contacts with the ICO have confirmed that they are determined to help rather than penalise.
This is borne out by the Information Commissioner Elizabeth Denham when she explains that the ICO will only take GDPR enforcement action “where there has been serious and sustained harm to individuals.”
She also realises that some companies may need time to become fully compliant. Importantly she states that: “The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime – do they have commitment to the regime? We’re not going to be looking at perfection, we’re going to be looking for commitment.”
So what does this mean for your company, and the services it offers? For many, the questions for this link to business outreach, both for B2B and B2C. We have looked into areas that affect our business such as email marketing and online lead generation. We are not legal experts, but maybe our research can provide insights relevant to your business activities.
Mailing with consent
Establishing consent in line with GDPR is essential from email marketing recipients. Econsultancy has just published an excellent article on this subject. Many companies are confident that their own or third party mailing lists being used are already GDPR compliant, but others are seeking re-permissions to make sure. This article describes good and bad examples of how these permissions are being sought.
In a recent article on the BBI Brandboost website, we wrote that GDPR compliance could create significant opportunities through having a positive effect on engagement rates. This is because the audiences will be correctly targeted for information they genuinely want. In making sure your email list has consented for the specific information they receive, it is important to note that you cannot assume the same consent for different material.
Handling data
When it comes to personal data, it must be collected for “specified, explicit and legitimate purposes” according to the GDPR.
For example, when it comes to providing a contact form on your website, we believe you should state clearly that the subject has the right under GDPR to withdraw consent. It also should divide the information or services that the recipient may wish to accept. Once again, consent must be specific. This is known as “granularity” in terms of GDPR, and is a term we have become increasingly familiar with!
Lead generation
Consent is always a factor to consider when it comes to personal data. If you are asking for personal data that is not deemed necessary in your lead generation activities, then there is no valid reason to ask for such data. As GDPR states, consent is not freely given if the subject is unable to refuse without detriment.
As regards the forms to fill out in order to receive or download information – well, this is where PECR (Privacy and Electronic Communications Regulations) and GDPR overlap somewhat.
Incentivising consent for marketing purposes falls under a different set of rules. It would seem that asking for consent to electronic marketing as a precondition to download information is okay, as this relates to the PECR.
Moving Towards GDPR Compliance
BBI Brandboost is committed to the aims of GDPR and we believe we have set ourselves on a positive path to compliance. Any personal data we have held has always been handled with great care but we are by no means complacent.
As stated before in this article, we are not legal experts. We are also well aware that every business is different in the way they control and process data. The key is to ask the right questions, and show that you too are committed to GDPR.
BBI Brandboost aims for the highest standards of performance and best communications practice in the full range of services we provide for our clients. Please contact us at any time to discuss your business requirements.
N.B. None of the above content should be considered as constituting legal advice in any form.