GDPR: What can and what not?
GDPR: the final sprint to may 2018
The 25th of May 2018 is almost here: the day when the General Data Protection Regulation (or GDPR) comes into force. From that day on the new data protection law will replace the current Personal Data Protection Act. The GDPR has already been in operation since May 2016, but has a transition period of 2 years in order that companies and organizations can make the necessary adjustments to their processes. This transition period is now almost over, but are you ready for it?
The goal of the GDPR
Data protection concerns the processing of personal data. This is all data that can be directly or indirectly traced to a person. This can be name and address data, e-mail addresses, but also the IMEI number of your smartphone. Processing actually refers to everything you do with this data, even if you delete it immediately after use. As soon as you receive personal data in any form you must comply with the privacy legislation.
The GDPR applies to the entire European Union and its main goal is to align privacy legislation across all member states. The current Dutch Wbp/ Data Protection Act is already fairly extensive and therefore the new DPA does not contain any particularly shocking new rules. However, the privacy rights of individuals are extended and tightened. In doing so, more responsibility is placed on companies and organizations and, moreover, it is becoming easier for authorities at both national and EU levels to monitor and intervene with sanctions or fines.
Although it was not explicitly stated as an objective, the Data Protection Act was also due for replacement. The current law has been around since 1995, and if you consider how much the internet and the way we use it has changed in 23 years, it is certainly not surprising that the rules needed to be revised.
What should I organise now?
The adapted privacy rights are mainly about transparency, consent and management. Marketers will face this with email campaigns and tracking via cookies. The Dutch Data Protection Authority is the Dutch regulator in matters relating to personal data. They have one extensive page with information and questions about the changes that the GDPR brings with it, but we have listed 7 important points for you to pay attention to.
- Opt-in
First of all, you must inform the user about the recording and processing of personal data, and the person concerned must explicitly give permission for this. This opt-in must fulfill a number of conditions for marketing purposes:- Inform: specify in clear language what data is being collected, what it is being used for, and how long the data will be stored
- Active: permission must be given by the person concerned. This means that forms with pre-checked boxes or ‘give your consent’ are no longer allowed
- Free: the permission cannot be used as a condition for using the service / website
- Unambiguous: there must be no doubt that permission has been given
- Accountability and burden of proof
Companies and organizations have a lot more responsibility under the GDRP regarding the personal data collected by them. They must at all times be able to prove that valid consent has been given by the person concerned; for this the opt-ins must be registered in detail. Please note that valid consent, including full registration, is required for all personal data in your file. This may mean that you have to request permission again for existing mailing lists.
- User access to own data
The GDRP stipulates that data subjects must have easy access to their own data in order to be able to change it. For example, this could be an account page with data and preset settings. This requires a CRM system, something that can be a big obstacle for small businesses.
- Opt-out and the right to forgetfulness
The person concerned has the right to be forgotten, and all personal data must be deleted. The challenge is that this should be as simple as the opt-in. If permission was given via a tick, it should also be possible to withdraw it again via a tick. Please also note that if you have shared the data with external parties, you are responsible for the removal of the data by these third parties when requesting deletion. - Data portability
Something completely new is the right to data portability. This means that the customer can request that their data be made available in an accessible file format so they can, for example, pass it on to an alternative supplier for the relevant service. The GDRP states that the data must be provided in a ‘structured, current and machine-readable format’. Lora Mourcous published a clear article about this new privacy law on the website securityvandaag.nl in July 2017.
- Analytics and advertising via third parties
If you use digital marketing, you probably employ external service providers to analyze your traffic and display advertisements. It quickly becomes confusing who is responsible for obtaining and managing permissions. The good news for you is that in most cases this responsibility lies with the platform, unless you forward directly obtained personal data to the platform. For example running remarketing campaigns using on your customer base. A particularly extensive article by Wouter Nieuwerth appeared on marketingfacts.nl in October 2017 which gives an overview and tips for the most common scenarios concerning online advertising platforms. - Privacy statement
It may be a no-brainer, but do not forget to review your privacy statement. Of course this must reflect the new rights and obligations which needs to also be written in clear language. Make sure that your focus is not only on a legally correct text, but that you also show the underlying intentions clearly and transparently.
Challenge or opportunity
Yes, it is quite a job to organize your processes in such a way that your marketing activities comply with the GDPR. Certainly for small companies with limited capacity it will be a challenging period. Yet this legislation has been developed with good reason: society has created a greater need for more transparency, and the consumer has lost confidence that their personal data is being handled appropriately and with due care.
I hope that you can also see the opportunities that comes with this challenge. Cleaning your customer base ensures that you have an audience that has confirmed their interest in your business or product. Because marketing has been about transparency, trust and a customer-oriented approach for many years, the new legislation is a logical development of data protection. By showing the consumer that you take their need for privacy seriously, you gain their confidence and loyalty, and we can finally switch from quantity to quality.