The General Data Protection Regulation (GDPR) comes into force on May 25th, the EU’s new laws are aimed at protecting EU citizens personal data. Here at Adsertor we are working hard to ensure that not only are our own practices GDPR compliant but also the practices of our partners and customers.
Who does the GDPR apply to?
All businesses. Those who control the data and those who process it. Controllers and processors of data must abide by the GDPR. A data controller says how and why personal data is processed, while a processor is the person/people who are processing the data. The controller could be any company or organisation, from a charity or profit-seeking business to a government. A processor could be an IT business who are doing the actual data processing.
It doesn’t really matter if controllers or processors are based outside the EU as GDPR will apply if they are dealing with data that belongs to EU residents. It is the responsibility of the controller to make sure the processor they use abides by GDPR. The processors themselves must maintain records of their processing activities as specified in GDPR.
You must have a valid lawful basis to be able to process personal data
Under GDPR there are six available lawful bases for processing:
1-The data subject has given consent to the processing of their personal data for one or more specific purposes. See CONSENT below
2-Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
3-Processing is necessary for compliance with a legal obligation to which the controller is subject
4-Processing is necessary in order to protect the vital interests of the data subject
5-Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6-Processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
The basis which is most appropriate to use will depend on your purpose and relationship with the individual.
- Consent requires a positive opt-in from individuals. Never use pre-ticked boxes or other methods of default consent
- Consent requires a very clear and specific statement of consent
- You must keep your consent requests separate from any other terms and conditions
- You must name any third-party controllers who will rely on the consent
- You must make it easy for people to withdraw their consent and tell them how to do this
- You must save the evidence of consent; who, when, how, and what you told people
IMPORTANT NOTICE-You must now inform people upfront about your lawful basis for processing their personal data. You must communicate this information to individuals by 25 May 2018, and ensure you include this in all future privacy notices.
Adsertor can really help businesses get GDPR ready and stay compliant. Whilst GDPR may seem like a lot of hard work, the benefits for both a business and the individuals in the data they hold are great:
In this annual report published by the Department of Culture, Media and Sport it reveals around 70% of big UK companies have suffered a cyber-attack. With GDPR focusing on data security, a business that is shown to be GDPR compliant will only boost its reputation as being safe and secure in the eyes of existing and new potential customers. This will build much greater consumer confidence.
When GDPR comes in your data can specify exactly what they want to receive from you. This means the ones that have consented and specified what they want to receive will make your marketing so much more effective. Customers who give permission for businesses to use their data in line with GDPR are much more likely to engage. Targeting individuals on your database that have no interest in what you offer in time wasting and not profitable, so this can only be a positive move.
Build customer loyalty
Communicating with customers in the way they have asked to be contacted, and with the type of information they have asked to receive will make your marketing more personalised which helps build loyalty. Compliance with GDPR will also ensure a better start to the customer journey as those parting with their data will have more awareness of how it will be used. Those who don’t want to engage won’t provide their data which results in not wasting valuable time chasing people who aren’t interested anyway.