What is GDPR? Why you need to take action now.

What is GDPR? Why you need to take action now.

7th November 2017 in GDPR

GDPR is the hot topic of the moment, and rightly so. This new legislation has been introduced to protect people’s privacy and the security of the data they share, and is not to be ignored.

It will pretty much affect every business situated in - or operating in, the UK or EU - (before and after Brexit!) so it’s important you understand the implications and what you need to do before enforcement begins on 25 May 2018!

What is GDPR?
The EU General Data Protection Regulation is a future-proofed regulation replacing the 1998 Data Protection Act, and must be abided by any business that trades within the EU or with EU data.

Although these are lawful regulations, GDPR isn’t all about compliance. It’s about a change in culture in order to safeguard people’s privacy and security, and to ensure that the data we collect is used in a lawful, fair and transparent way.

The ICO is looking for organisations to make a positive change around privacy.

When does it come into force?
The Regulations are actually already in place and have been since May 2016, however the key date to be aware of is when enforcement will begin - 25 May 2018.

What could happen if you don’t follow GDPR?
If you have a breach, or are reported to the ICO (Information Commissioner’s Office), and are found to be collecting, storing or processing personal data in contradiction to GDPR, you could face fines up to 4% of your company’s annual global turnover, or €20 million.

How does this affect marketing?
It’s important to understand that these regulations haven’t been put in place to prevent you marketing your business to potential or existing customers; you just have to be more conscientious about how you collect, use and store their data.

So at its simplest, in terms of digital marketing, you will need to think about….

  • Website enquiry forms:
    • Do you explain to the customer how you will use the data they provide and how they can unsubscribe / change their consent at any time?
    • Do you request their consent to future communications?
  • Newsletter sign-up forms:
    • Do you explain to the customer how you will use the data they provide and how they can unsubscribe / change their consent at any time?
  • Privacy policies and terms:
    • Have you updated your privacy and terms to reflect the new GDPR regulations and is there a clear link from enquiry forms for people to view these documents?
  • Email marketing:
    • Have you analysed your existing database to ascertain how consent was originally gained?
    • Does your database show:
      • Date of consent
      • Segmentation showing areas of business consented to receive information about
      • ‘Do not contact’ list of people who have unsubscribed from your emails
      • Reference how data captured e.g newsletter signup / enquiry form etc.

What do you need to do?

  • You need to determine whether the data you are collecting is sensitive or non-sensitive:
    • Sensitive data - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic or biometric data.
    • Non-sensitive data - an identifier such as name, identification number, location data, online identifier or one or more factors specific to the physical, physiological genetic, mental, economic, cultural or social identity of a person.
  • You must have consent to process the data, which:
    • must be clear and affirmative
    • must be freely given

This means explaining what processing will take place on the subject’s information, and for what reason. E.g. Data will be used to send information relating to their initial enquiry via email, or data will be stored on a secure, encrypted server and used only in relation to your medical needs by relevant personnel.

  • Assess your existing database:
    • What do you possess?
    • What purpose do you have it for?
    • What processing is undertaken against it?
    • Who is involved in the processing?
    • Where is it located and how is it protected?
    • Does it meet the principles?
  • Assess your procedures:
    • How would you deal with a data subject access request?
    • What is your breach process?
    • Data decommissioning and implementing the right to erasure.
    • How do you collect data now? Is it compliant?
  • Check consent:
    • How was it originally granted?
    • Do you need to re-apply for consent?

It is understandable that this may all seem rather daunting, but hopefully this has given you a good overview of what is required.

More information can be found here:


More from the blog

What to include in a privacy notice - GDPR series

7th December 2017 in GDPR

By Lucy Adamson

What to include in a privacy notice - GDPR series

With GDPR enforcement just around the corner, businesses across Europe (and the world) are assessing the ways they collect data, and the privacy notices that sit alongside them.

In our summary of GDPR and how it will affect digital marketing, we mention the importance of using privacy notices on your website. So now you know that you need one, we’re ready to delve deeper into what a privacy notice actually is…

Read article chevron_right