What’s happening on 25th May 2018?

  • It’s Julian Clary’s 58th birthday
  • It’s 41 years since Star Wars was released
  • GDPR replaces the current DPA

Cause for celebration all round? Maybe – but certainly, cause for preparation – and we don’t mean saving up to buy Julian Clary’s dog a diamante collar.

So – there’s less than a year to go and it makes absolute business sense to Be Prepared, exactly as the scout motto says. Don’t subscribe to lastminute.com; you’ll only regret it.

And what does GDPR stand for? General Data Protection Regulation, which replaces the Data Protection Act (DPA).

See here for the blog we wrote earlier which explains its evolution.

In brief, the GDPR concerns the rights people have over their personal data*. The DPA has become outdated since technology has progressed so rapidly in the past few years and so much business is carried out online. The new regulations aim to streamline data protection across Europe so that, no matter which country you trade with, or in which country your data is held, there’s consistency in the way data is handled. Helpful for businesses. Reassuring for individuals.

By the way, the fact that we are in the process of leaving the EU makes no difference because the GDPR applies to every business which holds or processes the data of EU citizens. If we want to trade in Europe then we will be obliged to show that UK standards are equivalent to the EU’s GDPR framework. Additionally, GDPR will become mandatory in the UK so even if you don’t trade overseas, it will apply to you.

There’s plenty to be getting on with in the meantime, meticulously outlined by the Information Commissioner’s Office (ICO). Here are five things you could put on your To Do List in the next few weeks. We’ll suggest more in subsequent blogs about GDPR.

  1. Appoint a data protection officer – crucial. It’s vital that someone takes the lead in this matter, otherwise there’s a danger it will be lost in the piles of other policies every company has to deal with. And, that someone should report to a board member or ideally be a board member.
  2. Raise awareness you may know about the impending change in regulations but do all the key decision-makers in your company?
  3. Organise an information auditunless you know the current personal data situation in your company (Whose data? Where from? How shared? To whom?) how can you possibly plan for the future?
  4. Check procedures – do they cover the new rights individuals will have?
  5. Plan timetable to amend privacy notices – make sure they will meet the new requirements in plenty of time for GDPR.

At Mailing Expert, we’re ahead of the game. Why not join us? Together we can make this happen.

 

Mailing Expert

 

* personal data is not only an individual’s name & address it is anything that identifies an individual from other information, including physical characteristics, pseudonyms, occupation, address, email et cetera or a combination of identification elements; that means business contacts too.

New data protection legislation from the EU

We all love a bit of legislation, especially when it’s contained in a 204 page directive from the EU. In the spirit of customer service, here’s a summary of the reforms to save you endless nights of tedious bedtime reading. We aim to please.

The 1985 Data Protection Act Directive and the 1998 Data Protection Act

Just to bring us up to speed. In the latter part of the 20th century it became apparent that most companies and organisations – individuals too – were storing and processing personal information on computers. While this has many advantages as far as speed and efficiency goes, it leaves us vulnerable because this data may be accessed by others without our knowledge or permission. Unscrupulous people could misuse it – use it for commercial advantage, identity theft for criminal purposes or sell it on to a third party for financial gain.

The 1985 Data Protection Directive was created to control the way such information is handled and to give some legal rights to people who have information stored about them. It was implemented into UK law by the 1998 Data Protection Act. The problem with the 1995 Data Protection Directive was that each Member State could implement it into their own national law in a slightly different way so each Member State had their own set of rules and since people often have data stored in many countries, as they say, things got complicated…

So now the 2016 EU Legislation

Designed to establish one set of rules across Europe, with a European Data Protection Board to ensure a common interpretation across all the national data protection authorities, it should make it more straightforward for everyone to do business outside their home country. It heralds the arrival of an era of renewed accountability and transparency, which can only be applauded.

It consists of two parts:

The General Data Protection Regulation (GDPR) – allowing individuals to have more control over their personal data, reducing regulation and enhancing trust so everyone can make the most of the opportunities afforded by the Digital Single Market.

The Criminal Justice Directive – concerned with Europe-wide cooperation with criminal investigations and law enforcement, leading to more effective anti-crime and anti-terrorism.
Political agreement on the test has been reached; it will become law very shortly; enforcement will start in 2018. It’s something for which you must prepare because penalties for breaches will be HUGE – figures flying about are fines of €20 million or 4% of a business’s global gross revenue. Ouch!

What it means for you – in a nutshell

N.B. This is not comprehensive. It covers the aspects that we consider have most bearing on the direct marketing aspect of your business.

The definition of personal data – any information which allows anyone to identify a person, so aside from the obvious name, address andn ID numbers, this now includes such things as cookies and IP addresses if they lead back to a person.

Consent – agreeing to data collection and use doesn’t need to be explicit but it must be unambiguous – a subtle distinction? It must be clear why you require the data. Your privacy notices and policies must be tip-top, accessible and transparent. Consent must be acquired by a “clear affirmative action.” No action, silence and use of pre-ticked boxes will not count as consent. Withdrawing consent should be just as easy as giving it.

Profiling – that’s to say, using the data to determine particular criteria about individuals – like personal preferences or location. This is an important tool in DM. It looks as though consent must have been obtained in the first instance.

Legitimate Interest – use of data for DM is considered to be legitimate (phew!) – that is, unless what you intend to do breaches the fundamentals human rights and freedoms of the subject, particularly in the case of children.

Data Protection Officer – it will be mandatory to appoint one if your organisation is engaged in regular and systematic monitoring of data subjects on a large scale or processing sensitive personal data. We will have to find out what this means from the guidance which will be issued in the next two years. At one point in the discussions, this ruling was only applicable to companies with more than 250 employees, now it’s any organisation which meets the above criteria. The appointed person must know about data protection law and practices to a level suitable for the role within a particular company. Even if your organisation does not have to appoint one compulsorily, it may decide to appoint one anyway.

Privacy Risk Impact Assessments – data controllers must take robust precautions before embarking on higher-risk data-processing activities to minimise the risk to their data subjects. This might include encryption, establishing resilient systems and regular evaluation to ensure security is fit for purpose.

Notification of breaches – “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” If the breach is going to impact on the rights and freedoms of individuals then ‘the appropriate supervisory authority’ must be notified within 72 hours, and the data subjects must be told, ‘without undue delay.’ Data processors and must inform data controllers are both obliged to notify

Liability of data processors – data processors will have direct obligations under the Regulation and will not be able to hide behind data controllers.

Have you lost the will to live now? Our apologies. The trouble is, it IS something we all have to grasp before it’s too late. These are regulations we will be implementing at Mailing Expert – for YOUR protection as well as ours.

Deep breaths, everyone!MEL LogoEX