It’s just over a year since I published my blog “GDPR 101: A Comprehensive Overview of the new Data Protection Regulation“ and given the readership it’s had, I thought it was high time for an update. Also, we’ve recently passed the GDPR anniversary… but if you’re new to the topic (or want a refresher), head over to that blog now and then pop back.
What’s this blog about?
At the B2B Marketing Expo in March, I ran a masterclass called Horror Stories from the GDPR Trenches so I’m going to share with you the areas that chimed most with my audience (or caused the most gasps) and give you an update on the latest best-practice.
[QUICK DISCLAIMER: I’m not a lawyer so this is not legal advice, and you may need help from someone that is.]
Oh no! I thought GDPR was so last year…
Well yes, it was. But that was just the beginning and a lot of people are still unclear on the difference between GDPR and the marketing regulations. Plus, the delayed ePrivacy regulation is still going to arrive eventually…
So what’s the GDPR and Marketing regulations bit?
GDPR is about the processing of personal data. Oh, and ‘processing’ means storing it, deleting it, looking at it – basically everything you can do with it except thinking about it.
Up until the 25th May 2018, we had the DPA (Data Protection Act 1998) and PECR (Privacy and Electronic Communications Regulations 2003) sitting side by side – the data one and the marketing one.
On the 25th May 2018, GDPR (General Data Protection Regulation) came into force along with the Data Protection Act 2018 (which sets out the bits left to individual member states and a few other bits). This is the data
one two. The ePrivacy Regulation was going to replace PECR to be the marketing one at the same time but it was delayed. As a result, PECR still applies. For now. But ePrivacy is still on the horizon.
Hang on, why are marketing and data protection different?
Think of it this way. You can be a customer and I need to hold enough data about you to manage the contract – answer queries and whatnot. The type of information I store, how I store it, who can see it, how long I keep it and what I use it for is all part of the Data Protection Principles in the GDPR. That doesn’t mean you have to accept my marketing. It doesn’t mean I’m allowed to keep sending you newsletters when you’ve unsubscribed. You don’t have to accept cookies, or faxes, or text messages. That’s the marketing bit – that’s PECR (and will be ePrivacy).
Oh, we don’t do ‘marketing’…
I often hear this. Are you sure?
If you’ve read the ICO’s Direct Marketing Guidance, you’ll know that “direct marketing” is “the communication (by whatever means) of any advertising or marketing material which is direct to particular individuals”. The definition covers any advertising or marketing materials, not just commercial marketing so this includes the promotion of aims and ideals as well as the sale of products and services (charities and not-for-profits need to be aware of this).
Oh, and if your message is not a marketing one but includes some marketing elements – it needs to comply with PECR:
- Sending an account balance to a customer that just mentions other products or services? That’s marketing.
- Letting members know of a free event they might like to attend? That’s marketing.
Okay – how will ePrivacy differ from PECR?
PECR has different rules for B2C and B2B marketing whereas ePrivacy is very likely to remove that difference – meaning you’ll need specific opt-ins for B2B marketing too.
So now you know why ‘opt-ins’ got all the limelight before GDPR and why you’ll very likely still need them. But if you’re B2B, not just yet…
Here’s an idea though – why not start getting them now so you’re ready?
This is all academic though – nothing happened after GDPR came in…
It takes a while to identify, investigate and prosecute so most of the news stories have been for issues under the previous Data Protection Act. That’s not to say they don’t make interesting reading.
Self-reported data breaches in 2017-2018 were 29% up on the previous year – hardly surprising you might say. Data breaches now need to be reported within 72 hours – so some historic ones probably got reported just before GDPR day.
Looking at the figures (and a chart is always good), you can see that human error is still by far the biggest issue. It’s definitely time to check that the sales team don’t have old print-outs rattling around in the boot of their cars – and if you can’t use a professional email marketing tool (to ensure the correct recipient or bcc), do keep training staff and raising awareness. Oh, and public complaints are also up from around 9,000 to around 19,000 – I think that’s just the start and it’ll keep rocketing up as public awareness grows.
2017-2018 Self-Reported Data Breaches by Type
Where are the really big scary fines though?
- The French regulator CNIL fined Google £44m. As the new maximum fine is 4% of annual global turnover it could have been a lot worse (well over £3bn).
- A German chat application was fined €20k for storing passwords insecurely
- The Polish regulator has imposed a fine of around €220k to an organisation for only sending Privacy Notices to people it had email addresses for
- Uber was fined £385k under the old legislation and this one has a great quote from our ICO
Phew, well at least it’s only big business then…
Err, no. One of the biggest reactions at the B2B Marketing Expo came from two ICO cases.
In one, a former headteacher was fined for putting old pupil data on a server at a new school. This means they’d personally taken and stored this data for no good (lawful) reason even before they put it on a machine in a school with nothing to do with these children.
In the other case, a senior council officer’s partner was going for a job – so he emailed the rival candidate CVs to his personal address to give them an edge. The partner got the job until the data breach was discovered – the council officer was sacked and the job offer was cancelled.
If you’re delivering any data protection training, it’s worth stopping by the ICO website and showing the action they’ve taken against individuals. This really brings it home that anyone with access to data has a responsibility to work with it appropriately.
Hmmm. I don’t need to worry about the Marketing regulations though, right?
Two recent fines caught my eye – you’ll see these are PECR
And remember the news story about Cambridge Analytica? The ICO have more powers now…
Now you’ve depressed me
So to lighten the mood, the liveliest section of my Masterclass was when I shared my own experiences of Subject Access Requests. Not perhaps the most glamorous of subjects but a couple of lovely email chains.
From a Privacy Notice sent to my personal email address in May 2018, I replied asking for a copy of my data. Firstly, because I’d never heard of the company and secondly because I’m a nightmare.
None of the audience thought the response I got some four months later in October was okay…
“Some time ago, you sent us an e-mail regarding a data information request, which was forwarded to the responsible department.
We will release the new beta version of our backend in calendar week 41. We have decided to provide the feature “Account Information” in this newly revised and improved version. Due to delays in the backend release, there is also a delay in providing your requested feature.
We will continue to work on your request as soon as possible.”
For a second I’ll ask you to ponder the same question I asked of the audience… did I report them to the ICO?
Every vote almost unanimously concluded that I had definitely reported them (and the other case we went through). But no. I didn’t. What does that tell us? Well, the public complaints figure I mentioned earlier would be higher than 19,000 if I didn’t have anything better to do.
There was also general agreement not to add me to any prospecting databases in a hurry (and I heartily agree). Keep in mind that any staff member wandering through a platform like LinkedIn might calmly copy and paste my personal data into your database.
From there, if you’re complying with GDPR, you’ll send me a Privacy Notice. Then – as I don’t know your company – I’ll respond with a Subject Access Request. You’ll have one month to provide me with my data and where it came from but I’ll also be asking you awkward questions like which lawful basis for processing you’re relying on and how long you were proposing to keep my data for. That’s before I even ask for my data to be erased (and follow that up with another Subject Access Request to be sure you’ve done it).
You may be thinking that this is silly. That if I put my contact information out there in the world that I should expect to be added to any and every database. So think about your data. No, not the data you hold on a database but your personal data – the data about you. It’s yours and you get to choose how it’s used – as I do with mine. And we also get to choose how we’re contacted and marketed to.
Okay, okay! What should we do?
Train your staff – and keep training them. Maybe tie it into regular reminders about IT security but keep doing it and encourage people to question things and bring up potential issues.
Give your contacts choice – segment your data and send relevant, targeted messages. Always give plenty of choice for opting out – not just by the type (SMS, email etc.) but by the content – and make this prominent. I’d rather have a happy customer who only wants to see product updates than someone feeling bombarded who opts out of everything,
Get ready for ePrivacy – when news stories start to circulate about ePrivacy, have messaging ready to include in your marketing to get those Opt-ins (with a different version for people who have opted in already…). Have a plan – write it now.
Of course, having a CRM with elegant GDPR functionality built-in and an integrated email marketing platform would make your life easier- I happen to know a really good one.
Have you paid your data protection fee to the ICO? Please check! I was on-site with a customer last year who didn’t realise there was a fee (and then paid up quick-sharp). The ICO started taking legal action for non-payment last year and the first appeal against the fine for non-payment was recently dismissed.
And finally, a quick recap
If any of the above has left you scratching your head, read on.
On the 25th May 2018, GDPR came into force as The Data Protection Act 2018.
It’s not a quick thing to recap but the key bits you should be extra aware of are…
|What is it?||The detail…|
|6 data protection principals (Article 5) |
Basically, how you’d like your own data to be processed
| – used fairly, lawfully and transparently |
– used for specified, explicit purposes
– used in a way that is adequate, relevant and limited to only what is necessary
– accurate and, where necessary, kept up to date
– kept for no longer than is necessary
– handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
|8 data subject rights (Articles 12-23) |
We all have rights! The first one has been quite tricky for some organisations.
| – be informed about how your data is being used |
– access personal data
– have incorrect data updated
– have data erased
– stop or restrict the processing of your data
– data portability (allowing you to get and reuse your data for different services)
– object to how your data is processed in certain circumstances
– automated decision-making processes (without human involvement)
– profiling, for example to predict your behaviour or interests
|6 Lawful Basis for Processing (Article 6) |
You don’t have to go for the top one but you do need at least one.
| – consent – for one or more specific purposes |
– for the performance of a contract
– compliance with a legal obligation to which the controller is subject – to protect the vital interests of the data subject or another natural person
– in the public interest or in the exercise of official authority
– legitimate interests… except where such interest are overridden by the interests or fundamental rights and freedoms of the data subject
|Prohibition on processing special category data without an exception (Article 9). |
Don’t process this data! There are exceptions but they’re very specific
| – racial or ethnic origin |
– political opinions
– religious or philosophical beliefs
– trade union membership
– genetic data
– biometric data for the purpose of uniquely identifying a natural person
– data concerning health
– data concerning a natural person’s sex life or sexual orientation
If you’re not currently using Gold-Vision CRM but would like to find out more about what Gold-Vision can do for your business, we’d love to arrange a personalised demo for you.