The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It came into direct force on 25th May 2018.GDPR replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. Brexit will not affect the new regulation as the Secretary of State for the Department of Culture Media and Sport confirmed GDPR will be enforceable from 25th May 2018.
Those two words should echo around an organisation’s board room from now on with this new regulation. An organisation should be asking itself questions such as – What types of personal data do we hold? Where is it located? How accessible is it? Are we adequately protecting the data? Are we adequately protecting the target’s rights and interests? Do we have the necessary consent? Most importantly – Are we compliant? Data protection should become a board-level discussion due to the huge onus on organisations to comply, and the penalties for those who don’t. Where the DPA (1998) was typically tougher on companies operating inside the EU, the scope of GDPR extends globally. If an organisation holds or processes data that can identify an EU citizen, then they must comply regardless of physical location. It also brings data processors into the spotlight. While the GDPR still focuses on the controllers i.e. who collected it and who dictates its use, data processer such as data suppliers are also brought under the microscope when it comes to accountability.
During the DPA era, many businesses relied on ‘implied’ consent. This passive approach was taken advantage of over the following decade until it was rewritten during the negotiations for the GDPR. A pre-ticked box stating they subscribe, or allow 3rd parties to use their data was often used – and if the consumer didn’t bother to untick the box, then implied consent was given. The GDPR however states that a “clear affirmative action” needs to happen for consent to be valid. This will mean actively ticking an un-ticked box for consent. This however, for clarity and safety’s sake should be followed up by an email – “click here to confirm subscription” for example. This created the double opt in and is a clear sign they want their data used by the company.
Consumers have the right to request their data be deleted thanks to the GDPR. Any personal data stored on the subject must be deleted unless there is a legitimate need for the business to keep it.
While the requirement to appoint a DPO is new under the GDPR, it has been a long-standing element of data protection in Germany. Modelled on that, a modified version made its way into the GDPR. Companies are required to appoint a DPO if they process vast quantities of personal data on a regular basis or they process on a large scale ‘special categories’ data (e.g. race, religion, health – anything deemed sensitive)
The punishment for data breaches has been dramatically increased from the £500,000 maximum fine that was permitted under the DPA. The GDPR provides a comprehensive package for collecting, processing and managing data and should therefore not be violated. Heavy fines of up to 2% of annual global turnover await those who fail to comply with GDPR. Businesses who suffer a serious data breach are open to fines of up to €20m or 4% of annual turnover – whichever is higher.
A data breach is more than just losing personal data. A Breach, as defined by the ICO is – “A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Breaches vary in severity which makes it important to understand how an organisation has been breached, what has been accessed and how it will affect the rights of the subject(s). Not all breaches need to be reported, in some cases it can be handled internally without notifying supervisory bodies. However, when the breach will likely have a “significant and detrimental effect on individuals” then it must be reported. For example, a data breach which allows unauthorised access to customer’s transactional data risks the subjects falling victim to identity theft. This should be reported as it imposes a threat on the security of an individual. Accidently altering staff telephone numbers on the other hand can be handled in house and not worth reporting.
Prominent Contact will follow best practices on data protection. This means we are working closely with our data suppliers to ensure that data is collected in a compliant manner. Prominent contact will ensure all data is kept up to date and accurate.
The main change GDPR creates for marketing data, is the legal premise by which data can be processed (or used). Whilst there are six in total, for marketing the two most important are ‘Legitimate Interest’ and ‘Consent’.
It does not mean you are compliant by purchasing data from Prominent Contact. To be compliant under GDPR, purchasers of Marketing data (email, address or telephone) must also follow specific guidelines from the ICO and PECR (for marketing using electronic means). It is mandatory on all UK and EU businesses to ensure they process data in accordance with GDPR, which includes, but is not limited to, things such as clear and accessible unsubscribe options on all communications, and ensuring proper segmentation when delivering communications (e.g. to ensure the data subject would have a legitimate interest in the topic or content of any communication received). For more information please visit ICO Prominent Contact will screen against Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) registers at the point of delivery. All customers must suppress against any in-house suppression files you hold before initiating any marketing. After 28 days from delivery its customer’s duty to check the data against TPS and CTPS register. Prominent Contact offers this service separately. Please check the Data Validation tool.
To opt-out or for further information please email: