GDPR: Understanding your data responsibilities

Our first blog post about the GDPR looked at what it is, how it impacts your business and shared some actionable steps for you to take. Now, our second article goes into more detail about data including what information the GDPR applies to, how data can be used for Marketing and three of the biggest changes which you need to act upon as soon as possible.

To briefly remind you, the GDPR is the General Data Protection Regulation which is a European Law that comes into effect on May 25th, 2018. It relates to the rights of data subjects and is in place to ensure that people are better informed about how their data is used and stored. As the date is fast approaching and in the most extreme cases, a business could be fined up to 4% of their turnover or €20,000,000, it is now time to take action to ensure you are GDPR compliant before the deadline.

If you are yet to understand the basics of the GDPR, we would recommend you find out more in our ‘What is GDPR and how does it impact your business?’ blog before continuing to read this one.

What personal data does the GDPR apply to?

When it comes to the data protected under the new regulation, it can be anything that either by itself or when combined with other available data, can be used to identify an individual. This is also known as Personal Identifiable Information (PII) and it includes:

• Name
• Email address
• Telephone number
• Account number
• National Insurance number
• Address
• Date of birth
• And any other personal information that could identify an individual

The General Data Protection Regulation is not just applicable to written data, it also applies to images and voice recordings.

How can data be used for Marketing?

Marketing data is where things can get the most complicated as you are trying to market to the audience, rather than providing them with transactional communications. Marketing communications are typically broken down into two main audiences; existing customers and prospective customers.

Currently, you typically need consent to legally market to prospective customers but when the GDPR comes into force, this legal basis will become stricter. Consent will need to be:

1. Specific
2. In response to a clear written statement
3. Distinguishable from other matters

Additionally, it needs to be as easy to withdraw consent as it is to give consent. Every business is required to keep a record of this information. “Opt out” consent will also no longer be valid and a clear positive action is needed.

On the other hand, the rules are slightly easier for existing customers as there can be a soft opt-in relating to relevant products if the client has completed an actual transaction.

3 changes that you need to act upon

The GDPR will impact all businesses in different ways but we are now going to share the three biggest changes which you should immediately act upon.

1. Tell people about how you use data

Under the GDPR, you need to have a readily available explanation of how you use data. It’s no longer enough to offer a good and legal reason to use the data. In your explanation, you should list what data you hold on them, state how long you will hold the data for, clarify the reason to why you have the data and outline how you are using it.

2. Be ready to help data subjects enforce their rights

A data subject is in control of their own data. They have a number of rights including the right to be informed, right of access, right to erasure, right to rectification, right to restrict processing, right to data portability, right to object and rights regarding automated decision making and profiling. You need to ensure you’re ready to act upon these rights. If a data subject wants to be erased, you need to be able to respond to their request. Or if a data subject wants a copy of their data, be ready to extract it and send it to them. Prepare answers and processes in advance so you know exactly how to help people enforce their rights.

3. Be aware of who is helping you with your data

Find out if there are any companies that help you with your data, especially those who process data. You must inform data subjects if you outsource any data to third parties. It’s important that you state who is handling their data and why you know that they will look after their data.

If you want to learn more, the Information Commissioner’s Office (ICO) has created a ‘Guide to the General Data Protection (GDPR)’ which goes into a vast amount of detail about the upcoming regulation changes.

If you’re interested in learning more about the GDPR from us, register your interest to receive any further educational content straight to your inbox.