What is GDPR?
In May 2018, Europe’s data protection rules underwent their biggest change in two decades. Since they were created in the 1990s, the amount of digital information we create, capture, and store has vastly increased. Simply put, the old system is no longer fit for purpose.
The solution is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. It will change how businesses and public sector organisations can handle the information of customers.
How Can We Help?
- Securing your website – All of our websites are built with the highest security protocols available and are regularly updated.
- Creating a re-permissioning campaign – We can build a comprehensive email marketing campaign that will make your mailing list compliant and of a higher quality.
- Set up compliant data collection – From on-site forms to automated email messages, we can ensure that your new leads are GDPR compliant.
Why is Compliance Important?
Recently, there have been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details.
Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator where it could have a detrimental impact on those who it is about.
In short, if your data is attacked, companies MUST report it to the regulator. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more.
On 25th May 2018 the processing of personal data by organisations will have to comply with the GDPR. The fines for failing to comply with the GDPR are significant.
Organisations that handle EU customer data, regardless of where the company is based, can face up to EUR 20 million in fines, or 4% of their total global revenue for the preceding fiscal year, whichever is higher, for GDPR noncompliance.
Staying compliant to GDPR demonstrates to your customers and clients that you share their concerns and respect the data you hold.
How does GDPR impact you?
MRS’s short guide detailing how GDPR affects your website security, email listings and customer data.
The full regulation
All 99 pages of the GDPR in full.
Preparing for GDPR: 12 step plan
The ICO’s 12 step plan to preparing for GDPR. This plan guides you through the basics.
GDPR checklist for data controllers
A checklist for data controllers to ensure safe data processing and security.
GDPR checklist for data processors
A checklist for data processors to ensure safe use of data.
Creating a re-permissioning email campaign
A guide to building a re-permissioning email campaign to keep your email list compliant.
Need something else?
What is GDPR?
The General Data Protection Regulation (GDPR), which will come into force on 25th May 2018, will change how businesses and public sector organisations can handle the information of customers. It is a modified version of the existing data protection legislation, designed to better meet the needs of a digital age.
Does GDPR affect me?
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- Data storage
- Data collection
- Access to data
- Use of data
What’s the difference between a data controller and processor?
A controller is an entity that decides the purpose and manner that personal data is used, or will be used.
The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
What can I do to ensure GDPR readiness?
The GDPR is an evolution of the existing law. If you are already complying with the terms of the Data Protection Act 1998, and have an effective data governance programme in place, then you are already well on the way to being ready for the GDPR. For more information, check out our resources above.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single data protection officer to act for a group of companies. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
I don’t process any personal data but my Google/Mailchimp/SalesForce etc. system does.
The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant as well.
US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.
Will GDPR affect my existing data?
GDPR will impact the way you use that data in your marketing, but it won’t have a direct impact on that data itself. The law affects the things that surround your data, such as how you are handling and protecting it.
Am I about to lose my email database?
The new regulation states that you must make your withdrawal process clear; it needs to be as easy to withdraw consent as it is to give it. This doesn’t necessarily mean you’re going to lose your customers. It just means you’re going to have to be honest about your processes.
Ultimately the GDPR will help you refine your database, creating a higher quality list of genuinely interested customers.
I already use opt-in marketing. Am I compliant?
In order to be compliant with GDPR, you need consent from the people whose data you have or process. So, if you purchased your email marketing data from a third party, odds are you didn’t ask for their permission. In this case, you need to make those people aware that yourou have their data. You can do this through a double opt-in process.
Double opt-in marketing is an additional step added to the subscribing process. Anyone who registers to recieve your emails will now have to confirm that they do, in fact, want to register.
This is done by following a link that is emailed to them after the first opt-in stage. The second stage, clicking the link, confirms the identity of the person and counts as a “positive opt-in” under the regulations.
How will GDPR affect e-commerce businesses?
E-commerce businesses hold more sensitive information than other industries, so the security of your business should be at the forefront of your mind. The GDPR are very clear about how businesses should be storing and accessing their data.
My firm employs fewer than 250 people. Am I exempt from the GDPR?
You have to comply with the GDPR regardless of your size, if you process personal data. Size is a factor in a range of areas including the requirement to maintain records of processing, but you must still be compliant.
So what next?
Contact us today and find out how we can help you.