If you are marketing online to parents then you may be collecting data for your customers or target audience. You may or may not be aware that the General Data Protection Regulation (GDPR) arrives on 25 May 2018. In this article, Gráinne O’Donovan, Douglas Law Solicitors explains some of the background and legal things to be aware of with regards to the new regulation to help you answer a key question “Why is GDPR important to my business?“
What is the General Data Protection Regulation?
There is a lot of fear and scaremongering surrounding the four letters GDPR – the General Data Protection Regulation – which comes into force on 25th May, 2018. However, data protection is not new. It often comes as a surprise to people to hear that a lot of the obligations imposed on data controllers and data processors in the GDPR are already in existence.
What the Regulation does that is new is that it imposes greater transparency for organisations & businesses in relation to their reasons for the collecting & processing of personal data. There is increased accountability regarding the storage of such data and significant, eye-watering penalties for data breaches. It introduces meaningful new personal privacy rights for individuals in relation to their personal data to include extensive rights of access, the right of rectification of inaccuracies & the right to lodge a complaint.
Gathering Personal Data from My Customers/Target Audience
The aim of this article is to help you understand what legal basis/justification you have for collecting & processing personal data; how to ensure your business has acted in compliance with its obligations under the GDPR & why you need to take GDPR seriously for your business.
First of all it is important to understand that personal data is any information that relates to an identified or identifiable living person. It includes different pieces of information which when collected together can lead to the identification of a particular person – a client; an employee; a supplier – obvious examples are
- an individual’s name & surname
- home address
- email address
- date of birth.
It does not apply to the processing of data of a deceased person. It is useful to remember that the personal data you are gathering does not belong to you, it belongs at all times to the person.
The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the European Union.
You might also find Is Your Website GDPR Ready? helpful
We have created a free GDPR Checklist for your Website that you can download and work your way through these steps.
Download your free GDPR Checklist here to use to make sure your website is GDPR ready
What is the legal basis for collecting the personal data?
Do you know & understand the legal justification you have for gathering the personal data of your customers or individuals from your target audience? If not, then it is essential that you become crystal clear on this and ensure your business can verify it.
As marketers, the sole legal basis for obtaining & processing your customer’s data will be their consent to you doing so. In other words, the only lawful reason or justification you have for collecting & processing personal data is the consent you have obtained from the individuals whose data you have gathered.
It is a requirement under the GDP Regulation when the only legal basis for obtaining personal data is consent, that the customer consent is ‘freely given, specific, informed and unambiguous.’
Consent has to be verifiable under GDPR – there can be no more pre-ticked boxes, it cannot be inferred by silence or inaction on the part of your customer. The consent to the processing of personal data cannot be given as part of any other contract with you.
Your audience/customers must be clear on what data they are providing to you and why. At all times you must communicate clearly in a language that your target audience/customers understand so that they are clear and without any doubt that they are consenting to the processing of their personal data.
You must also make sure that your customers are informed in advance of their right to withdraw consent. It should be as easy to withdraw consent as it was for your customer to give consent in the first place.
Where customer consent is the only legal justification for collecting personal data, individuals will have a stronger right to have their data deleted.
You might also enjoy reading Why List Building Is Crucial For Your Business Success
Getting Ready for GDPR
Carry Out a Data Audit
In order to prepare for the commencement of GDPR, you should conduct an audit by carefully considering how much personal data you collect, why you are collecting it and whether you really need all of the data you are requesting from your customers currently.
- How long will you hold onto the data?
- How secure is the data you hold both in terms of encryption & accessibility? The GDPR does not only relate to digitally stored data.
- How accessible & secure are your manual files, notebooks, etc which your business has that contain personal data?
- Do you ever share your customer’s personal data with third parties?
- If there is data that you are currently seeking from your target audience that you do not really need, then discontinue requesting it. Ascertain if you can anonymise or pseudonymise the remaining information you are collecting.
Update Your Privacy Notice
Your privacy notice should clearly set out the legal basis for the personal data you are gathering. Adopt privacy by design as a default approach in your business. If at any stage post GDPR an individual submits an access request to your business/organisation requesting a copy of their personal data you will be required to explain the legal basis for the data you have collected. As the sole legal basis for marketers will be customer consent, it is absolutely crucial that you can show (verify) that the consent was given by your customer in terms that are acceptable under the GDPR.
So Why is GDPR Important To My Business? (The Scary Bit…..)
Business owners (no matter what type of business) deal with personal data everyday.
Under GDPR an individual will have the right to request & be provided within one month, free of charge, a copy of all of their data and the reasons why the business was holding the data (the legal basis/justification), a description of the data and details of the duration for which it is being held.
This obviously has both a time & financial cost for businesses in dealing with data access requests and this is even more so when data protection disputes arise.
There are also GDPR requirements on businesses to release, correct & destroy data all of which comes at a time & financial cost.
There is the potential for reputational damage to businesses who suffer a data breach not to mention the significant new fines under the GDPR which are up to €10 million or 2% of the company’s global annual turnover whichever is higher.
With the GDPR will come the increased risk to businesses of expensive litigation. Individuals who suffer as a result of a data privacy breach by a business will now have a new right to sue for non-material damage in addition to material damage.
In conclusion, the General Data Protection Regulation cannot be ignored. Compliance is not an option. It can be helpful to remember that your customer’s/ audience’s data does not belong to you. Becoming informed & taking action now to protect your business will pay dividends in the long run.
There is a very useful website www.gdprandyou.ie which contains a lot of information for businesses to enable you to get GDPR ready.
Disclaimer – The material in this article is for general information purposes only and does not constitute legal advice. You should always seek specific legal and compliance advice before acting.
Gráinne O’Donovan is one of the founding partners of Douglas Law Solicitors, a dynamic law firm providing focused & goal orientated advice to individual and business clients. Gráinne provides legal advice & assistance to clients at significant stages of their business lives– from assisting clients who are starting a new business right through to those who are planning on retiring or selling their business. Gráinne also advises clients in relation to data protection issues. You can contact Gráinne by email at firstname.lastname@example.org and by phone on +353 21 489 7256.
Over to you now. Did you find Gráinne’s advice useful? How are you preparing for GDPR? Tell us in the comments below.