Is Your B2B Ready For GDPR?
31-07-2017Tags: Marketing Insight
The General Data Protection Regulation (GDPR) commences on 25th May 2018, superseding the Data Protection Act 1998 (DPA).
Currently, organisations that collect, process and store personal information must comply with the DPA, or face fines of up to £500,000 in the event of a data breach.
From 25th May 2018, organisations in breach of the GDPR could face considerably greater penalties, up to 4% of annual global turnover or €20 million (whichever is greater).
The UK government has confirmed that the decision to leave the European Union (EU) does not affect the commencement of the GDPR. All organisations worldwide must comply with GDPR, if personal data from residents of EU member states is processed.
Definitions
Personal data – “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Online identifiers – “natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol (IP) addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”
Consent – “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.”
Preparations
- Awareness – Be aware that the law is changing and appreciate the impact the GDPR is likely to have.
- Information held – Document the data held, its source and who it’s shared with.
- Communicate privacy information – Review current privacy notices and plan the necessary changes in time for the GDPR.
- Individuals’ rights – Review procedures and ensure all individuals’ rights are covered, including how personal data is deleted or provide data electronically and in a commonly used format.
- Subject access requests – Update procedures and plan how to handle subject access requests (SARs) within the new timescales.
- Lawful basis for processing personal data – Identify the lawful basis for processing activity in the GDPR, document it and update privacy notices to explain.
- Consent – Review how consent is sought, recorded and managed, and whether any changes are required to comply with the GDPR.
- Children – Consider whether systems are required to verify individuals’ ages and how to obtain parental consent for any data processing activity.
- Data breaches – Ensure the right procedures are in place to detect, report and investigate a personal data breach.
- Data protection impact assessments – Become familiar with the Information Commissioner’s Office (ICO) code of practice on Privacy Impact Assessments (PIAs) and establish how and when it should be implemented.
- Data Protection Officers – Consider whether a formally designated Data Protection Officer is required.
- International – If operating in more than one EU member state, determine the lead data protection supervisory authority. Article 29 Working Party guidelines will assist with this.
Differences Between DPA & GDPR
| Data Protection Act (1998) | General Data Protection Regulation (2018) | |
| Reach | Applies to UK organisations only | Applies to all organisations processing EU residents' data |
| Enforcement | Information Commissioner's Office (ICO) | Country-specific Supervisory Authority (SA) |
| Penalties | Up to £500,000 or 1% of annual turnover | Up to €20 million or 4% of global annual turnover |
| Data Protection Officers (DPO) | No legal requirement to formally designate a DPO | Mandatory for organisations with more than 250 employees |
| Data Breaches | No legal requirement to report data breaches, though encouraged to do so | All data breaches must be reported to SA within 72 hours |
| Data Removal | No legal requirement to remove individual data upon request | All individuals have the 'right to erasure' |
| Privacy by Design | Protection Impact Assessments (PIAs) not a legal requirement but encouraged by ICO | PIAs will be mandatory and must be carried out if a high risk to individual freedoms |
| Opting In | Data collection does not necessarily require opt in | Individuals must opt in via explicit and transparent consent, with clear privacy notices about how to withdraw consent |
Ongoing Developments
GDPR has been described as the biggest shake up to data protection in twenty years. It is important that your B2B is prepared and complies with the regulation in time for commencement on 25th April 2018. For more information on GDPR and further guidance on ongoing developments, visit the ICO website.
Increase your leads with Strategy
We partner with our B2B clients to drive results through strategic consulting and digital marketing solutions.
Our approach allows us to gain an in-depth understanding of your business objectives and ensures our digital marketing solution are aligned to them.
Discover Strategy
