STRICTER RULES ON PRIVACY WILL APPLY ALL OVER EUROPE
You probably already read, over and over again, about GDPR, the new EU-legislation around your and my privacy. As a citizen, it’s nice to know your rights are being protected. As a business manager, the new privacy legislation offers a series of opportunities, if you’re prepared well.
GDPR is short for General Data Protection Regulation. Officially we’re now in a period of transition, after which the legislation will be actively maintained from the 25th of May 2018. Don’t worry: the contents are largely similar to those of the former privacy legislation.
As a company, the rules offer you clear tools around everything you can do with client’s data. As a result, the SPAM will decrease and your legit e-mail marketing will possibly receive more reactions, after all, the trust of your consumer in direct e-mail will improve. When you’re active in several EU-countries, then that will considerably simplify your marketing activities. It will be easier to roll out your campaigns in Europe. Your overseas competitors are by the way obliged to observe the same regulations, that way you won’t have a disadvantage towards them.
The data that you (directly or indirectly) can attribute to a natural, identifiable person, are personal data. Typical examples are a name, an e-mail address or a phone number. But also the search history or an IP-address are, for instance, personal data. Each company has saved such data somewhere, actively collects these or uses them for analyses. You then process personal data and you must – with a lone exception – comply with the legislation.
It’s forbidden to process specific ‘sensible’ personal data. These are for example things as race, political views, union memberships, information about the sexual orientation or genetic information. In most cases you are allowed to process personal data, for example for marketing purposes. You then have to get permission of your client or prospect. Of course personal data can also be processed for delivering your products and services or because you have to comply with legal obligations.
Bron: An IDC infographic sponsored by Commvault (April 2017), www.commvault.com
The GDPR compels you to be transparent regarding the rights of the consumer. Consumers have the right to retrieve their data that are saved by you (you have to answer that within 30 days), the right to demand that those data are being transferred to another supplier and even the right to be completely deleted (‘forgotten’) from your systems. Transparence also means that you actively inform your (possible) clients about their rights. This means that you have to have a clear privacy statement. Of course, you have to adequately protect the data against attacks by hackers or human mistakes. Do you nevertheless suffer a data breach? Then you have to notify the Privacy commission within 72 hours after discovery of the breach.
Important: when you receive a request to be ‘forgotten’, you actually have to remove the data from your back-ups as well. For most companies this is – understandable – no simple process.
THE IMPACT ON YOUR COMPANY
Only when you don’t have any clients, suppliers, employees or other contacts, the GDPR won’t have any impact on your company (yet). In other words: the new privacy rules apply to everyone. To determine the impact on your organization, you’ll need to inventory:
- Which data you now keep, and where you keep it;
- How you obtained these data – and what exactly your clients agreed to;
- How these data are processed.
From Friday the 25th of May 2018, you have to keep records of your processing activities yourself. This may sound cumbersome, but it’s a good thing. In the old rules after all, you had to register your processing activities at the Privacy commission each time. In these records you of course mention the aim of the processing and the categories of personal data that you have processed. In addition, you mention the names and contact data of your processing responsible persons.
Certain companies also have to appoint a Data Protection Officer (DPO). He or she is mandatory for companies that regularly process data, or process sensible data. (At EMAKERS, business manager Stefan Vermeulen is DPO, for now). He or she can be voluntarily appointed by the company. Furthermore, it’s not by definition one of your employees. The DPO can also supervise that the principle of privacy by design is used in new projects where personal data play a role. When you haven’t appointed a DPO yet, it’s wise to do it now and to make him or her responsible for the initial audit, in which you analyze the impact of the GDPR on your business operation.
The new privacy rules state that the contacts in your data base should have explicitly given their consent or that you should have a legitimate interest to keep them in your database.
Example GDPR consent management, bron: www.b10v.com
Most companies have e-mail lists that they actively process with several marketing actions. You should have explicit consent to e-mail a contact. This actually means that you have to be able to prove that you obtained the addresses through an opt-in, by which you recorded when they specifically agreed, to what and through which IP-address. Many companies have an e-mail list based on a spreadsheet somewhere and some business cards elsewhere. It’s a good idea to then explicitly ask your contacts for their consent, for example through a new opt-in campaign. EMAKERS already carried out such campaigns and, in our experience, your contact list will probably be decimated. It’s therefore easy to predict that most companies will carry out a large spring cleaning in their client database, and in return you’ll get a much more qualitative database.
The new rules also give you a good reason to review all your accounts that have access to client information. Many companies use “shared” accounts, for example in order to have access to a free (or cheaper) subscription to an internet service. That actually isn’t kosher anymore. Everyone who has access to your data that falls within the privacy legislation (these often are placed in your accounting, CRM, ERP and e-mail systems), should be mentioned in your processing records, in our opinion. When they leave the company, then you immediately delete the accounts and you write down that date in your records.
THOROUGHLY DEALING WITH MATTERS
Unfortunately, it’s impossible to make a clear cut comparison between small and large companies to determine the impact of GDPR. A small marketing agency can for example be very active with client data – while that can be less important in a large construction company. The starting point remains primarily the data that you process as a company.
When you recognize words as CRM, data analytics, e-mail marketing and remarketing, you are possibly already working with direct marketing in an advanced way. In comparison with the old rules, new rules are made around the automated processing of personal data, evaluating certain aspects of a natural person to predict his or her (buying) behavior. Everyone has the right to be excluded from this type of activities (commonly known as profiling) and other forms of automated decision-making. Exceptions are when it’s necessary to conclude an agreement, when it’s legally approved or when it’s based on explicit consent.
If you work with external employees, it’s a good idea to review the contracts with them and/or to add a specific clause around privacy. That way you should be able to, for example, at least trust that your partner takes adequate safety measures against possible data breaches.
The new privacy legislation is the same for the whole EU. When you’re active in markets outside of the EU, it’s only natural that there could be (more rigorous) privacy rules in force that you have to meet.
If you’re not already actively working on the new privacy rules within your company, you’re actually already late. Our experience is that you need at least 2-3 months to implement the rules in your organization.
What you have to do exactly is different for each company. You can start with:
- 1. An initial analysis, mapping which data you use within your company, where it comes from, who has access to it (in- and extern) and why you keep it; in the new rules this is called the Data Protection Impact Assessment (DPIA);
- Appointing a Data Protection Officer (DPO);
- The adjustment of the processes within your company and the adjustment of your contracts with suppliers, the employment contracts, etc.; many companies rely on a makeshift solution and manual pairing between several data sources, with differences in data source as a result – the new rules call for a professionalization in this area;
- The improvement of the (technological) security of the data under your control.
Don’t forget that, with new projects, you best use a privacy by design method and that you are obliged to report when you discover a data breach despite your efforts.