**This blog was first published in November, 2017 and has been updated in August 2018..
Frequently asked questions in relation to the GDPR
On the 25 May 2018, the most comprehensive reform to data security and privacy in the last 20 years came into effect: the General Data Protection Regulation (GDPR). Designed to harmonise data security and privacy laws across the European Union, the GDPR will transform data acquisition, processing and management as we know it.
The recommendation from many institutional bodies, experts and advisory firms is to act now. But while there is a plethora of information out there on the GDPR, little has been said on what it means for a business’ marketing activity – and how best to prepare.
Therefore, we have compiled a list of the most frequently asked questions in regards to the GDPR and provided a series of answers.
"The GDPR obviously covers email and email communications - does it also include telephone communication?
What if I buy a list of phone numbers and call each person?"
Before you even start contacting people on a list you have purchased from a third-party, ask yourself this:
“Did the data provider obtain that information consensually – and did the individuals on that list consent to being contacted by parties other than the data provider itself?”
If the answer to both questions – or either of them – is “no”, then you will be breaking the law under the GDPR. Consent must be acquired for each individual action: the data provider must have obtained that information consensually – and the data subjects must have consented to their data being used by parties other than the data provider.
Also, if you record calls it falls under the Data Protection Act (DPA) of 1998 and is classified as a form of data processing. The DPA states that individuals must be informed of how and why their data is being processed – which, in this instance, mean telling the individuals what the call is for or going to be used for. You know when you call into Vodafone, for example, and hear “this call is being recorded for training purposes?” – that’s the DPA working away. The GDPR extends these requirements, asking that businesses demonstrate that the purpose of call recording fulfils any of these six conditions:
The people involved in the call have given their consent to be recorded
Recording is necessary for the fulfilment of a contract
Recording is necessary for the fulfilment of a legal requirement
Recording is necessary to protect the interests of one or more participants
Recording is in the public interest or necessary for the exercise of official authority
Recording is in the legitimate interests of the recorder – unless those interests are overridden by the interests of the participants in the call
In order for calls to be recorded, businesses will need to justify the call recording under one of the six categories highlighted above.
"Are these rules or guidelines? What is the difference?"
To be clear, the GDPR is law – and not advisory.
Businesses that process personal data of European Union (EU) citizens, regardless of whether they operate in or outside the EU, must comply with the GDPR. Failure to adhere to the GDPR can result in fines of up to 20 million Euros or 4% of the group’s worldwide turnover (whichever is greater).
Less serious violations such as improper records or failing to notify the relevant authority of a breach can result in fines of 2% of the group’s annual worldwide turnover, or 10 million Euros.
"Who will actually issue the fines? Who would you contact to complain about a company? Who will contact you if there has been a breach (i.e. is it a European body)?"
The supervisory authority in each EU country will issue fines in the event of a data breach. Also, complaints regarding businesses should also be lodged with the relevant supervisory authority.
In the UK, this is the Information Commissioner’s Office, headquartered in Wilmslow, Cheshire and also has offices in Scotland, Wales and Northern Ireland.
"I’m in the UK and Brexit is coming - why should I bother or worry about it?"
The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
According to the gov.uk website: “The GDPR will have a direct effect on UK law from 25 May 2018. There are derogations (flexibilities) within the GDPR where the UK can exercise discretion over how certain provisions will apply.” Once the UK has left the European Union, however, the legislature will be able to make changes to the GDPR framework as it sees fit.
This means – despite Brexit – the GDPR will apply. Regardless of Brexit, if your business markets to European citizens or operates within the EU, the GDPR will apply! After the initial exit period, the UK will develop further legislation that will largely follow the GDPR, as it provides a clear baseline for UK businesses to continue to market to EU citizens and those in the EU.
"The regulation talks about ‘data controllers’ and ‘processors’, what are they?"
In their simplest forms, data controllers are those that determine how data is used and processed. Data processors process data on behalf of a controller.
Here are some examples of data controllers: government bodies, voluntary organisations, hospitals, or even your Internet Service Provider (ISP).
Here are some examples of data processors: accountants, market research companies, surveyors – anyone who processes data on behalf of someone else (an individual or company).
For example, we – as a marketing consultancy – would be a data controller and data processor. We collect personal information from website visitors and website visitors who fill in forms and control that data, as we decide on what to keep and to use in our digital marketing efforts.
We process that data as well. Holding it, organising it, analysing it, adapting it, retrieving it, erasing, combining and much more. It could be as simple as obtaining a new lead via your website and adding that lead’s information into your CRM or editing contact records.
"Who is responsible for the data within marketing agencies?"
Simply put, everyone! Having a clear view of your business’ data across the department is key to ensuring you meet the requirements of the GDPR. Good data governance needs to be driven from the top down (I’m looking at you, C-Suite) and on that basis, starts with the seniors in the business driving it forward.
That said, the GDPR does require that certain businesses, organisations and institutions appoint a DPO (Data Protection Officer) to oversee the business’ data management.
Under the GDPR you must appoint a data protection officer if you:
Are a public authority (except for courts acting in their judicial capacity);
Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
Carry out large-scale processing of special categories of data or data relating to criminal convictions and offices
You may appoint a single data protection officer to act on behalf of a group of companies or public authorities. Any organisation can appoint a DPO, regardless of whether the GDPR requires you to do so.
"What happens if I lose a laptop/company mobile phone/USB that has sensitive data on it – who do I report it to?"
Firstly, you only need to notify the relevant supervisory authority of a breach where it is likely to risk the rights and freedoms of individuals, such as their human rights and freedom of expression, for example. Supervisory authorities differ from country to country, but in the UK, it’s the ICO – the Information Commissioner’s Office – based in Wilmslow, Cheshire, but with offices in Scotland, Wales and Northern Ireland.
For example, if the breach will have a detrimental effect on individuals, resulting in (and the ICO states) discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
For example, if a breach of customer details leaves customers open to identity theft, that must be reported.
Individuals must be notified immediately if it’s a high-risk breach, as well as the relevant supervisory authority. For those in the UK, this means telling the individual and informing the ICO.
"Will data providers now go out of business? Surely they can sell GDPR-compliant data lists?"
Perhaps, but more likely they will have to work harder and therefore costs will increase. Data providers will need to reassess the way in which they build their lists. They will need to obtain consent from each individual on the list so they can compile that information – and they will also need to obtain separate consent from them so they can sell that list to third parties. It’s a lot of work, but it can be done.
"Is double opt-in a guidance or a law? Does GDPR include ‘double opt-in’? I.e. A website visitor said “OK” passively, but do I need to confirm their consent? Surely single consent is enough?"
Double opt-in is a guidance, not a law.
In order to comply with GDPR regulations, you have to be able to prove that the individuals that you are contacting have provided affirmative consent for you to do so.
In order to prove affirmative consent, you must be able to show that they have completed an action to say: 'yes, I'm happy with this'. You can no longer have pre-ticked boxes or assume consent based on an individual's inactivity. Also, you must provide opportunities for the individual to opt-out of any communication if they so wish.
Double opt-in, however, is something that requires the individual to provide their consent twice and thus improve your record of consent, but it is not a legal requirement. Double opt-in is simply best practice as it provides no room for error when it comes to being able to prove consent further down the line.
If you are only gaining one stage of affirmative consent, make sure that you are also providing opportunities at every touchpoint for the contact to opt out of communications.
"What about my contact database? Can I still email these people?"
The GDPR states that you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. So, make sure you update your consent mechanisms if needs be!
We hope you have found this GDPR FAQ document to be useful and would be very happy if you were to share it with others through social media. Of course, this is a living document and it will be routinely updated up until the commencement of the GDPR to ensure absolute accuracy.
"What are the legal/lawful bases for processing?"
Under GDPR, there are six lawful bases/grounds for processing. At least one of these must apply whenever you process personal data (to find out more about personal data, please see ‘What is personal data/information).
No single legal basis is better than another but the legal basis you choose will depend on your business and your requirements.
The six legal bases are as follows:
Consent: the individual – the data subject – has consented to the processing of their data
Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.
Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Public interests: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interests: processing is necessary for the purpose of the legitimate interested pursued by the controller or by the third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
"What is personal data/personal information?"
Personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Identifiers could be a person’s name, an identification number, location data or online identifier – the ICO outline the different identifiers that could be used to distinguish an individual here.
"What is the right to be forgotten?"
The right to be forgotten – also known as the right to erasure – is where individuals have the right for their personal data to be erased completely. Individuals can make a request for erasure verbally or in writing.
"What is sensitive personal data?"
Sensitive personal data is special category data consists of information about an individual’s:
Trade union membership;
Sex life; or
This type of data, according to the ICO, could create more significant risks to a person’s ‘fundamental rights and freedoms’.
"What rights do individuals have under GDPR?"
Under GDPR, individuals have the following rights:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automate decision making and profiling
10 essential HubSpot workflows (You should implement today)