Are you ready for the changes to data protection law. We thought it was high time for a GDPR update. Rosemary Smith, from Opt-4 joined us around a year ago, and her podcast on GDPR, or the General Data Protection Regulations, really engaged our listeners. She’s still our top download. It’s a very hot topic (you can listen again here).
Time for a GDPR update
So, we thought it would be great to have Rosemary back to give us a GDPR update and to motivate those business owners who have yet to get going. For more GDPR information and guidance visit Delphix.
Rosemary is a leading expert on GDPR.
There has been a major uptick in activity with GDPR. Since we last spoke, the UK Government has confirmed, despite Brexit, that GDPR will be coming in on 25 May 2018.
On Christmas Day this year, it will be exactly 6 months till GDPR!
Rosemary has been involved with the Information Commissioner’s Office, as there is as yet NO official guidance as to how we should be interpreting some of the key aspects of GDPR. We did have some draft guidance from the ICO on consent.
This is causing consternation as the barrier for consent is MUCH HIGHER than it currently is under the DP Act.
The draft guidance had no surprises. Consent needed to be unambiguous and confirmed by a statement or clear affirmative action.
In essence, is affirms opt-in consent. No pre-ticked boxes. Some fairly tough words around 3rd parties use of data. So, that is not the data collecting business itself but any other organisation to which you might want to pass data. The guidance is very clear in that you need to NAME all of those 3rd parties at the point at which you collect the information.
Is this punitive compared to how things are now?
Industry sectors like insurance, financial services, etc is typical now. But that looks unlikely to be part of the new regime. They have dismissed ‘defined sectors’. But they haven’t published final guidance, and they won’t be doing so until the ICO has final guidance from Europe on consent.
Article 29 Working Party – all the regulators around EU getting together and agreeing a position.
It is likely to be December 2017 before we get final guidance.
If the outcome is purely opt-in, then the eco-system around prospecting to individuals in the UK via direct mail, for example, would be affected by the reduction in the availability of permission based lists.
That is one of the reasons that Royal Mail and others, including Rosemary Smith, engaged with the ICO to discuss the alternative to consent.
Balance of Interest or Legitimate Interest
This is in the current law, but will have more emphasis in GDPR. It is where an organisation asserts that it has a legitimate interest to process the individual’s data. That it is necessary to process it. And crucially, that they can process that data without harming the rights of the individual. It is a balancing test.
To date there has been no guidance from the ICO on this. So, Rosemary’s Data Protection Network
an online community that advises and helps people to unpick this legislation. Their Governance Board decided it would be a good idea to get industry representatives together, supported by the Direct Marketing Association, and the Incorporated Society of British Advertisers. They unpicked where it could and could not be used.
They sent that draft to the ICO and provided comment. It was published in July.
What are the situations where Legitimate Interests are going to be relied upon?
i.e. Employees. Consent has to be freely given. In a firm, the staff really have no choice other than for their data to be processed by their employer. Especially if they want to be paid!
So the business has a legitimate interest. The employee has rights, so they can still access their data, so it balances.
i.e. Data for Postal Purposes. It does say in one of the paragraphs in GDPR, that the use of data for direct marketing purposes may be a legitimate interest. That is RECITAL 47.
So instead of consent, you may use legitimate interest for mailings to your own customers or prospects. Subject to the company doing a BALANCING TEST or Legitimate Interest Assessment, it will be possible to rely on Legitimate Interests for postal communications.
As a minimum, you should be telling people where you collected the data from.
Avoid Small Print. Transparency does not mean 6-point text!
Individuals expectations comes into this. Is it a reasonable expectation that the company processes the information?
i.e. The Open Register – register of electors. Open for legitimate commercial use. The councils can still provide this data for aggregators for prospecting.
6 different lawful bases. Consent, Legitimate Interest, Legally Necessary.
Will Local Authorities continue to offer opt-out or opt-in?
The last 12 months, Rosemary Smith has spent a lot of time unpicking this legislation on this site:
The big changes in the last 12 months?
What would the wording be like? Organisations have started to test. Rosemary has got very reasonable OPT IN.
- Wording right
- Reassurance right
- On Brand
- Not bundling the consents together
- Every organisation should look at it.
- There are 13 different things!
Be transparent. The BBC site is a very good example.
What should you be saying in your opt-in statement?
- Talk in a tone of voice that’s consistent with your brand
- Who you are (not your brand name, but your company name)
- Separate out the various channels – offer separate boxes for
- Make it clear that you care about their data (your privacy matters to us, you have a choice)
- Clarity and references to keeping the data secure
- As someone is giving their consent they have to be told they can withdraw it at ANY time.
- Tell people that you might use their data to personalise their data. i.e. profile them. Sell the benefits, we would like to use your data to personalise our communications so you only get relevant offers. Give them a reason to give you their data to you.
The ICO does recognise that there is a challenge to get your message across along with all these stipulations.
Rosemary advises you take a look at:
A listener from the last show – a question about the deletion or destruction of data. How do you keep track?
One thing you’ll need to decide is how long you wish to keep a person’s data. The bigger issue, if you don’t know what data you’ve got then you cannot protect it.
A Data Map
- Find out what data you have got and where you hold it.
- Messages on WhatsApp might be outside your database – they are personal data, so if you promise to delete, you’ll need to delete that data too.
- You may need to retain employee data for so long to protect the company.
How long does the data go back on your database?
Are you a data squirrel?
Do you re-permission the data you have got?
- If you don’t want to use legitimate interest, some organisations are doing this.
- Sadly, some orgs have sent emails to whole of their base, including unsubscribes. Their argument was please re-consent, they argued they were service emails. The ICO did not agree. You cannot break a current law in order to get ready for a new one. Asking for consent is MARKETING!
- If you have an existing consent, ask them to re-consent. The postal route is a choice being taken by some organisations. Telling people they want to stay in touch.
If you re-consent your base, will you go to ALL the people you have ever connected with you? The guy who requested a brochure 8 years ago and has never connected again, for example? So, if you have a good offer, compelling copy and targeting is right, then you’ll get a better result.
- Ask, when did the person last transact?
- Call your call centre?
- Request literature?
Bring all that to bear on the messaging. If you are a charity, being open, a change in the law means we would like to re-permission, to stay in touch, because you are so important to us.
Foreign Companies. Is this GDPR update important?
If you are in the US, and you have opted people in, is that enough? If you are processing the data of a EU citizen, then you will be subject to the rules of GDPR. This GDPR update applies to you too!
There are challenges in enforcement. Kevin mentioned US businesses ignoring VAT rules when selling into the UK.
Rosemary says she has seen some US businesses taking a more detailed look at GDPR than some UK businesses. They want to see the US as a safe place for data to reside.
It is likely other countries will follow suit before too long in their respective legislations.
When will we see the next major announcement?
Probably after Christmas 2017. That will be the right time for a further GDPR update.
We have to keep proper records. Not as ad hoc as it has been so far. Have in place solid contracts with anyone who is processing your data on your behalf.
An Audience with the Queen of GDPR
What’s Rosemary’s advice for the next 100 days?
- Make a plan
- Identify the things that need to change.
- Do a Data Map. What data are you controlling and protecting?
- Policies up to speed, i.e.
- Data retention policy
- Data breach policy
- Get your CONSENT statement sorted out and test variants NOW
- On your own live audience or friends
- Are you going to rely on legitimate interest? Then do a Balance of Interests test. Document your decision.
- Internal training – staff, HR etc
- Subject access requests & policy on erasing data
Check out this article…
Are you a member of a trade association? Are they offering you advice? That should be your main source for future GDPR update.
Contact Rosemary Smith directly through her website – Opt-4