What does GDPR mean?
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It came into direct force on 25th May 2018.GDPR replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. Brexit will not affect the new regulation as the Secretary of State for the Department of Culture Media and Sport confirmed GDPR will be enforceable from 25th May 2018.
Accountability and Responsibility
Those two words should echo around an organisation’s board room from now on with this new regulation. An organisation should be asking itself questions such as – What types of personal data do we hold? Where is it located? How accessible is it? Are we adequately protecting the data? Are we adequately protecting the target’s rights and interests? Do we have the necessary consent? Most importantly – Are we compliant? Data protection should become a board-level discussion due to the huge onus on organisations to comply, and the penalties for those who don’t. Where the DPA (1998) was typically tougher on companies operating inside the EU, the scope of GDPR extends globally. If an organisation holds or processes data that can identify an EU citizen, then they must comply regardless of physical location. It also brings data processors into the spotlight. While the GDPR still focuses on the controllers i.e. who collected it and who dictates its use, data processer such as data suppliers are also brought under the microscope when it comes to accountability.
During the DPA era, many businesses relied on ‘implied’ consent. This passive approach was taken advantage of over the following decade until it was rewritten during the negotiations for the GDPR. A pre-ticked box stating they subscribe, or allow 3rd parties to use their data was often used – and if the consumer didn’t bother to untick the box, then implied consent was given. The GDPR however states that a “clear affirmative action” needs to happen for consent to be valid. This will mean actively ticking an un-ticked box for consent. This however, for clarity and safety’s sake should be followed up by an email – “click here to confirm subscription” for example. This created the double opt in and is a clear sign they want their data used by the company.
Right to be Forgotten
Consumers have the right to request their data be deleted thanks to the GDPR. Any personal data stored on the subject must be deleted unless there is a legitimate need for the business to keep it.
Data Protection Officers (DPO’s)
While the requirement to appoint a DPO is new under the GDPR, it has been a long-standing element of data protection in Germany. Modelled on that, a modified version made its way into the GDPR. Companies are required to appoint a DPO if they process vast quantities of personal data on a regular basis or they process on a large scale ‘special categories’ data (e.g. race, religion, health – anything deemed sensitive)
Breaches & Penalties
The punishment for data breaches has been dramatically increased from the £500,000 maximum fine that was permitted under the DPA. The GDPR provides a comprehensive package for collecting, processing and managing data and should therefore not be violated. Heavy fines of up to 2% of annual global turnover await those who fail to comply with GDPR. Businesses who suffer a serious data breach are open to fines of up to €20m or 4% of annual turnover – whichever is higher.
What constitutes a breach?
A data breach is more than just losing personal data. A Breach, as defined by the ICO is – “A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Breaches vary in severity which makes it important to understand how an organisation has been breached, what has been accessed and how it will affect the rights of the subject(s). Not all breaches need to be reported, in some cases it can be handled internally without notifying supervisory bodies. However, when the breach will likely have a “significant and detrimental effect on individuals” then it must be reported. For example, a data breach which allows unauthorised access to customer’s transactional data risks the subjects falling victim to identity theft. This should be reported as it imposes a threat on the security of an individual. Accidently altering staff telephone numbers on the other hand can be handled in house and not worth reporting.
How are Reachere B2B data is compliant with the GDPR?
Reachere will follow best practices on data protection. This means we are working closely with our data suppliers to ensure that data is collected in a compliant manner.Reachere will ensure all data is kept up to date and accurate.
The main change GDPR creates for marketing data, is the legal premise by which data can be processed (or used). Whilst there are six in total, for marketing the two most important are ‘Legitimate Interest’ and ‘Consent’.
- Legitimate Interest – is a legal basis of processing personal data that a business can use for direct marketing. A business has a legitimate interest in finding new customers; so long as it balances this interest, with the interests and rights of the data subject, then it can process personal data for the purposes of marketing. We believe that this means there should be clear alignment between the product, service or content being communicated, with the individual’s role (e.g. job description), industry or another targeting factor. This relies on high-quality data and strong segmentation criteria. Marketing communications using legitimate interest must then operate on an unsubscribe or opt-out basis, and follow the other data processing rules from GDPR. Reachere will process data under legitimate interest and provide it to our customers on this basis.
- Consent – means the individual whose data is being processed must have provided ‘opted-in’ permission. GDPR means businesses can no longer rely on implied consent or pre-ticked boxes – replacing them with the requirement for “explicit or unambiguous” consent by active ticking of an un-ticked box or another “clear affirmative action”. Some marketing data must be processed under consent and this is detailed in the Privacy and Electronic Communications Regulation (PECR) which extends the obligations of data protection to marketing using electronic means, and will still be law when GDPR is live. In B2B marketing, this particularly applies to emailing non-registered businesses, such as sole traders. We have concluded that it is not possible for our third-party suppliers of email data to capture consent to the full extent required by the GDPR. Hence, at this time, we will no longer offer email addresses on non-registered businesses. The EU’s ePrivacy Regulation is currently under development and will ultimately replace PECR. We will of course accommodate any new guidance criteria and we can assure you that Reachere will only sell data that is compliant with this guidance.
Announcement to our customers –
It does not mean you are compliant by purchasing data from Reachere. To be compliant under GDPR, purchasers of Marketing data (email, address or telephone) must also follow specific guidelines from the ICO and PECR (for marketing using electronic means). It is mandatory on all UK and EU businesses to ensure they process data in accordance with GDPR, which includes, but is not limited to, things such as clear and accessible unsubscribe options on all communications, and ensuring proper segmentation when delivering communications (e.g. to ensure the data subject would have a legitimate interest in the topic or content of any communication received). For more information please visit ICO Reachere will screen against Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) registers at the point of delivery. All customers must suppress against any in-house suppression files you hold before initiating any marketing. After 28 days from delivery its customer’s duty to check the data against TPS and CTPS register. Reachere offers this service separately. Please check the Data Validation tool.