GDPR will affect nearly every UK business in some way

General Data Protection Regulation (GDPR) will take nearly every industry by storm, with business professionals, IT experts, marketers, and publishers, amongst others, discussing its implications.

In the past few months it is likely GDPR has been a buzzword in the office, with a lot of debate, panic or confusion over its implementation. But if you are unaware of the GDPR regulation the European Parliamentary is imposing, it is the biggest change in nearly 20 years, which is enforced by strict rules for any business that manages, stores or holds EU citizen’s personal details. In an essence, the aim is to give citizens power and fairer treatment on their personal data when disclosing information to businesses.

On 25th May 2018 businesses will have to comply with the regulation, and regardless of the UK’s status in the EU, it will not affect the regulation coming into force.

Why is GDPR necessary?

The current law has been deemed insufficient with modern technological changes. Many believe there is a lack of protection for customers, as businesses are selling personal data to third party companies. GDPR will combat the issue.

Will GDPR affect B2B and B2C?

At present, some businesses will be obliging with certain GDPR rules without even knowing, as some regulations are in line with the current Data Protection Act. GDPR will be a reform of the Data Protection Act, however, and there are going to be certain distinguishable exceptions.

One being the Privacy and Electronic Communications Regulation (PECR), which requires B2B and B2C organisations to have an opt-in consent from an individual prior to contacting them via electronic communications such as email marketing and telemarketing. Consequently, there will be noticeable changes for B2B and B2C marketing procedures, as individuals who opt-out will be granted immediate rights to the process.

What are the new rules for Privacy and Electronic Communication?

The Privacy and Electronic Communication Regulation, otherwise known as e-Privacy, has several key factors on how it will affect B2B and B2C sectors using electronic communications. Although the regulation is yet to be finalised, initial rules include:

  • Ability to access more communication services: The regulation has introduced new laws for instant and social media messaging, VOIP, web-based email and the IoT, which will consider the processes to be the same as phone calls, emails and SMS.
  • Optional rules on the usage of cookies: Users will be granted a choice to opt-in/out on allowing companies to retrieve data on their browsing habits. Plans suggest it will be applied via a browser setting, instead of requesting consent for each user in an automatic cookie banner pop-up. In the draft application, it explains how tracking on a website or service is prohibited, but in a few situations, there will be exceptions.
  • Difference in soft opt-in: the PECR process will remain the same, but have slight changes for soft opt-in (sending marketing messages to recipients). The draft report informs:
    “It is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services” (Section 33)

It should be noted that PECR allows for soft opt-ins during “negotiations of a sale”, as it states in the new regulation, which it explains email contact must be limited to “the context of the sale of a product or service.” (Article 16)

GDPR European Data

How will B2B and B2C sectors be affected by the legislation?

GDPR is likely to affect the majority of businesses’ day-to-day operations as typical duties include using citizen’s personal data. Ultimately, customers are the key focus of every business, therefore businesses should not be fearful of the legalisation as it is likely to enhance customer experience.

There are three areas which will affect business and marketing companies the most:

  •  Opt-ins, opt-outs and communication consent
  • Customers have the right to be forgotten
  • Law enforcement

Opt-ins, opt-outs and communication consent

Firstly, opt-ins, out-outs, and communication consent is compulsory for GDPR. It must be ‘freely given, specific, informed, and unambiguous’, and conducted by a ‘clear affirmative action’. Therefore, it means companies will be forbidden to presume consent is granted based on ‘inactivity’. Gone will be the days when pre-ticked boxes are obligatory, as now it will be an unlawful practice of GDPR. Customers will be allowed to decide whether their data is distributed to companies and whether organisations can reach out to them.

Customers have the right to be forgotten

Probably one of the must discussed parts of GDPR, is how customers will now have the power and the rights to be forgotten and companies are being obliged to make the process simple for customers.

Legal enforcement

There are going to be changes on handling and processing personal data. For many businesses changes will be necessary to comply with database building, data management and housekeeping practices may need to be applied.

What do I need to do?

With the potential of substantial fines for being non-compliant, it is important procedures are communicated to workers. Initially, businesses should make staff aware of the new law and understand the changes on consent and data protection rights. Business will have to ensure everyone is knowledgeable on:

Data breach rules: the new rules will mean businesses need to identify, detect and report data breaches.

Notices for privacy procedures need to be updated; businesses need to have an accurate audit on data holding. Businesses should clearly explain what they plan to do with personal information they hold on an individual and where it is stored. Furthermore, individuals will have a legal right to require their personal data to be removed from the company’s database.

If GDPR is yet to be a hot topic in your office, start speaking about it, in less than 8 months’ time the changes will come into force. Get started with the regulation as soon as possible, as it will avoid any worries of being non-compliant and the chance of substantial fines. There are plenty of companies on hand to help you adhere to GDPR policies and guide you through the best approach for compliancy before May 2018.

Vizulate Digital’s View

There will undoubtedly be some teething problems as GDPR comes into force next year, purely because many companies are still unsure of how it will affect them, and that is down to the official communication channels regarding the legislation. From a personal security and privacy point of view, I see it as a positive step, as it has been almost 20 years since our current personal data rights were set out in 1998.

However, while there has been a considerable amount of scaremongering around the topic of GDPR for organisations that store and process data, I believe that the general public is blissfully unaware of how it may affect them. The individual is at the heart of GDPR as it is designed to protect them. But I’m genuinely not sure how many Europeans will be aware, for example, of their ‘right to be forgotten’ which ensures a data subject can enforce the immediate and absolute erasure of their personal data from any organisation that stores or uses it.

From a marketing perspective, many consumers could find that they suddenly stop receiving communications from their favourite brands and companies simply because they have failed to action any re-opt-in requests to explicitly say they are happy to continue receiving marketing communications, just because they weren’t aware that they had to. Because of this there will be an initial detrimental impact that will slow down and limit some of the marketing processes.

Highlights

  • General Data Protection Regulation will impact nearly every industry
  • The European Parliamentary is imposing one of the biggest changes for nearly 20 years
  • GDPR will enforce strict rules for any business who manages, stores or holds an EU citizen’s personal details
  • The aim is to give customers’ power and fairer treatment on their personal data when disclosing information to businesses
  • The regulation will be implemented on 25th May 2018 regardless of the UK’s status in the EU
  • GDPR will be a reform of the Data Protection Act, however, there is going to be certain distinguishably exception
  • A substantial change will be Privacy and Electronic Communications Regulation (PECR), which requires B2B and B2C to have an opt-in consent from an individual prior to send electronical communications
  • Certain situations will allow a soft opt-ins, such as in the “negotiations of a sale”, but communication must be limited to “the context of the sale of a product or service”
  • As customers are the key focus of every business, organisations should not be fearful of the legalisation as it is likely to enhance customer experience
  • Companies will be forbidden to presume consent is granted based on ‘inactivity’
  • Customer will be able to decide whether their data is distributed to companies and whether organisations can reach out to them
  • It is important workers are aware of the new law procedures
  • Non-compliant organisations can face substantial fines