In just over a year’s time – 25th May 2018 to be precise – the GDPR (opens in new tab) will come into full effect. If you’re a business owner, you’re probably up to your ears in information about how to prepare for its enforcement. If you’re not clued up yet, then you should be worried. No matter how big or small your business, there’s a lot of things to consider before the GDPR is enforced. What counts as personal data? Who in the business has access to the data? Is it my fault if the business suffers a data breach? Get to know your stuff because a lack of compliance could mean a fine of four per cent of your global turnover or a €20 million fine (whichever figure is higher). To put it into perspective, if the GDPR had been in enforcement when TalkTalk was breached in 2016, their £400,000 fine would have been around £59 million. For SMEs, a fine from the ICO is enough to plummet them into bankruptcy.
For businesses with reams of customer personal data, the GDPR is undeniably daunting. In the words of Stan Lee, “With great power comes great responsibility”. For any business using customer data for marketing purposes (I’ll hazard a guess and say that’s most businesses), the GDPR may seem like a dark cloud hanging over us. Yet we should look at the GDPR as an opportunity, not a hindrance to our marketing efforts. With major data breaches at TalkTalk and Yahoo in recent years, customers are becoming more wary of who has their data and how it is being used. And with that awareness comes mistrust. The GDPR is a chance to regain customer trust by being completely transparent about how their data is being processed, and respecting their ‘right to be forgotten’.
Under current data laws, customers should be able to unsubscribe from your communications at any time and you shouldn't contact them again unless they choose to re-subscribe in future. Yet lots of businesses aren't even doing this properly, such as Flybe and Honda who have recently been fined for emailing customers who have previously unsubscribed to find out if their ‘details are correct’. This is not only a worry for users, but also a waste of their time for businesses. Too many businesses are still viewing data as simply a commodity, rather than thinking about their customers’ likes and dislikes.
Under the GDPR, the way you use and retain customer data will be stricter still. If you’ve obtained a customer’s email address through an order they’ve made, you can’t simply stick them on your ‘special offers’ mailing list – they must have explicitly opted-in. Changing what the data is used for from its original use is in breach of the GDPR, and you must destroy any data held about an individual at their request. Any data subject has ‘the right to be forgotten’ at any time. This isn’t a new law but it will change under the GDPR.
Currently, the onus is on the individual to prove why their data shouldn’t be processed. Under the GDPR, this will be reversed. Any business that’s in control of personal data will be responsible for demonstrating why the data should be processed. The ICO (opens in new tab) has listed six different grounds for the legitimate processing of personal data that you’ll need to brush up on.
1. Consent - ‘The individual whom the personal data is about has consented to the processing’.
2. Contract - ‘The processing is necessary:
a. in relation to a contract which the individual has entered into;
b. or because the individual has asked for something to be done so they can enter into a contract’.
3. Compliance with legal obligation (including legal claims) - ‘The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract)’.
4. Vital interest - ‘The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
5. Public interest - ‘The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions’.
6. Legitimate interest - ‘The processing is in accordance with the “legitimate interests” condition’.
The ‘legitimate interests’ condition is arguably the most complex of the six. Although the clause will not change massively under the GDPR, for commercial businesses at least, now’s the ideal time to get to know what it actually means. How do you define what a ‘legitimate interest’ is? It must be ‘clearly articulated, real and present’ – ‘speculative or vague’ just won’t cut it. Guidance suggests anything from conventional marketing to internal admin can be classed as legitimate interests for processing someone’s data.
Do customers still have the ‘right to be forgotten’ if the processing of their data is in the public interest or a legal obligation? That’s where things are a little more unclear, and companies can reject ‘right to be forgotten’ requests when public interest, legal obligation or their legitimate interest outweighs the individual’s privacy.
The key is balance – does your interest in a customer’s data outweigh the benefits to them? For marketing purposes, your business should weigh up your interest in knowing your customers and promoting your products to them against your customers’ wish not to be constantly spammed. By following the guidelines, businesses will have to be smarter and clearer about their proposition to consumers; in theory, this means consumers will be more engaged and view the proposition in a more positive way. It’s time to get creative in the way you ask customers for their data, from your language to the methods you use.
Richard Gall, Communications Manager, Packt (opens in new tab)
Image source: Shutterstock/Wright Studio