GDPR stands for The General Data Protection Regulation and is a new EU legislation which will come into effect in May 2018.
The regulation was adopted back in 2016 but becomes enforceable as of the 25th May 2018.
This includes the United Kingdom, as its decision to leave the EU will not halt the commencement of GDPR. Additionally, the reach of the new regulation means that it must be followed by any companies outside of the EU that offer goods, services, or monitor the behaviour of residents of the EU. So regardless of the UK government’s decision regarding GDPR post-Brexit, it’s more than likely your company will still need to comply with the new regulation.
What is GDPR?
Essentially, the GDPR is a replacement to the Data Protection Directive 95/46/EC and is being introduced to extend existing EU data protection laws. Although many data privacy and protection principles from the 1995 directive still stand today, the new regulation reflects the increasingly data-driven world we are living in, some two decades later.
The biggest change is the extended territorial jurisdiction of GDPR. Under the regulation, where data of EU residents are being handled by controllers and processors, they must comply with GDPR, even if the processing takes place outside of the EU. So if a non-EU company handles the data of EU residents in the context of selling them goods, or services, or for monitoring behaviour, then they MUST adhere to the regulation.
GDPR is also bringing in a new series of fines, which are tiered according to the infringement. The maximum fine will be 4% of annual turnover, or twenty million euros, whichever is the greater. This hefty fine is reserved for the most severe breaches of regulation. Whilst other offences, such as not conducting an impact assessment, carry a 2% fine. This enforcement is for both controllers and processors, meaning clouds are not exempt.
Another big change is strengthened conditions of consent. All requests for consent must now be phrased in an intelligible, easily accessible form. Gone are the days of lengths of text and legalise, as now all requests for consent must be in clear, plain language and accessible. Equally, the option to withdraw consent must be as easy as it is to give it.
Changes to Data Subject Rights
There are also a number of changes to data subject rights under the GDPR. Briefly, these include:
- Mandatory breach notification. Where a breach may “result in a risk for the rights and freedoms of individuals”, it is mandatory for all member states to notify of the breach within 72 hours. And data processors must inform customers and controllers without delay.
- Right to Access. Under GDPR, data subjects now have the right to obtain confirmation from a controller regarding their personal data and if it is being processed, where, and why. The controller will provide a copy of the information in an electric format, for free. The data subject also has the Right to be Forgotten, meaning that the subject can have the controller erase their data, halt further circulation of the data, and potentially halt third parties processing the data. There are conditions regarding erasure, and controllers are required to compare the rights of the subject
- Data Portability. The subject has the right to receive data concerning them which they have provided, in a commonly used format, and can pass this on to other controllers.
- Legal Privacy by Design. Under GDPR, Privacy by Design becomes a legal requirement. Essentially this means that data protection must be included in the early stages of designing systems. This means controllers must have appropriate data protection measures from the outset, rather than adding them later. Additionally, controllers must handle only the minimum of data required to complete their duties, and limit access to personal data.
There are other changes of course, including the requirement to appoint data protection officers, but these are only mandatory for certain companies. So you must be sure to research specifically for your company and ensure you meet all legal requirements and obligations under the new regulation.
What this means for SMS marketing
From reading about the changes above, you’re probably recognised a few things you will need to implement or change within your company, and your communications with users. But what does GDPR mean for SMS marketing specifically?
You probably noticed the big theme of the changes is transparency between organisations and data subjects.
Firstly, the ‘strengthened conditions of consent’, means that all phone numbers you contact MUST have opted-into receiving messages from your organisation. In the instances of a hard opt-in, this is straightforward. But in the case of soft opt-ins, the rules aren’t as clear. For people who have used a soft opt-in option, you should communicate regarding the specific product or service they inquired after, and give them the option to opt out of messages. With the differences in clarity, it’s going to be best for you and your business to always pursue a hard opt-in for the sake of clarity to you and the user.
In the continuing theme of clarity, your opt-in and consent forms must be clear and concise, as mentioned previously. Additionally, pre-ticked silence boxes do not count as consent. And where data is collected, it must explicitly state why the data is being collected, and to what purpose. Similarly, opting-out must also be as clear and easily accessible as opting-in. And however a user has chosen to opt-in; they must be offered the opportunity to opt-out.
From this, you then must only store the absolute minimum of private data which you need to carry out your duties and services. What data you take must then be stored securely, protected from damage, destruction, and loss. You have a duty to prevent any unlawful processing of this data. This should be of vital importance. And any potential breach must be reported, and customers and controllers are informed without undue delay.
The GDPR aims to extend the jurisdiction of data protection policy, promote the security of data, and increase transparency between organisations holding data and the data subjects. This will, in turn, grant more rights and power to data subjects from the EU, and their ability to view and control their personal data. This means your organisation holds the responsibility to make sure that your communications regarding contact and data collection are clear, that you keep private data secure, and able to allow subjects to view data concerning themselves.
Ultimately, under General Data Protection Regulation your business must promote clarity to the subject at every step of handling their private data. And aims to maintain complete security to ensure that private data doesn’t circulate beyond where is necessary. These measures foster benefits to both the user and business, encouraging positive relationships between organisations and clients, good working practice, and protecting both your business and the consumer.
Remember to research the specifics of GDPR and what they will mean to your business, and ensure you’re ready for when it comes into force on 25th May 2018. For the most comprehensive breakdown of the key points of GDPR, the process, and other resources, check the EU GDPR site.
If you would like to know more about GDPR and what it means to the event industry, you can read our blog post. It features the key changes, and how they might affect event planners and event managers.
Sign Up to Our Newsletter Today
Subscribe to our mailing list and get interesting stuff and updates to your email inbox.
Thank you for subscribing.
Something went wrong.