How Does GDPR Affect You?

The General Data Protection Regulation (GDPR), which will come into force on 25th May 2018, will change how businesses and public sector organisations can handle the information of customers. It is a modified version of the existing data protection legislation, designed to better meet the needs of a digital age.

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

GDPR affects:

• Data storage
• Data collection
• Access to data
• Use of data

A controller is an entity that decides the purpose and manner that personal data is used, or will be used.

The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.

The GDPR is an evolution of the existing law. If you are already complying with the terms of the Data Protection Act 1998, and have an effective data governance programme in place, then you are already well on the way to being ready for the GDPR. For more information, check out our resources above.

Under the GDPR, you must appoint a DPO if you:

• are a public authority (except for courts acting in their judicial capacity);
• carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant as well.

US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.

GDPR will impact the way you use that data in your marketing, but it won’t have a direct impact on that data itself. The law affects the things that surround your data, such as how you are handling and protecting it.

The new regulation states that you must make your withdrawal process clear; it needs to be as easy to withdraw consent as it is to give it. This doesn’t necessarily mean you’re going to lose your customers. It just means you’re going to have to be honest about your processes.

Ultimately the GDPR will help you refine your database, creating a higher quality list of genuinely interested customers.

In order to be compliant with GDPR, you need consent from the people whose data you have or process. So, if you purchased your email marketing data from a third party, odds are you didn’t ask for their permission. In this case, you need to make those people aware that yourou have their data. You can do this through a double opt-in process.

Double opt-in marketing is an additional step added to the subscribing process. Anyone who registers to recieve your emails will now have to confirm that they do, in fact, want to register.

This is done by following a link that is emailed to them after the first opt-in stage. The second stage, clicking the link, confirms the identity of the person and counts as a “positive opt-in” under the regulations.

E-commerce businesses hold more sensitive information than other industries, so the security of your business should be at the forefront of your mind. The GDPR are very clear about how businesses should be storing and accessing their data.

You have to comply with the GDPR regardless of your size, if you process personal data. Size is a factor in a range of areas including the requirement to maintain records of processing, but you must still be compliant.