General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the changes applying to the Data Protection Law and relates to the data protection act and what you are legally obliged to do. The deadline for GDPR is 25^th of May 2018.

As little as 6% of companies are truly ready.

What is it?

An in depth look can be found in our blog post: The GDPR – What you need to know

But for a quick GDPR summary, it’s a new regulation from the European Commission that aims to ensure that the personal data of all EU citizens has more protection.

Businesses will need to ensure they comply with all aspects of GDPR and have proper systems in place to show that they are complying, as it is going to be heavily monitored.

The new regulation applies to; Data Controllers and Data Processors. Some companies are confused as to which role they play, however there is an easy way to distinguish between the two:

• Data Controllers – The GDPR defines a controller as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
• Data Processors – The GDPR defines a processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

Another major addition specified with GDPR in the introduction of a Data Protection Officer where applicable (that’s a DPO for those in the know). A DPOs job is to assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

Data Cleansing

Affecting the day to day operation of many business with the implementation of GDPR will be the new data cleansing and processing rules. Under GDPR, any data you hold must be ‘as accurate as possible.’

At Impact Marketing we are currently working with a number of clients to ensure they are ready for GDPR. We have the unique opportunity and experience to be able to offer a wide range of services to assist with GDPR preparation.

If you have any of the following data, you will need to ensure GDPR compliance;

• Prospect/Marketing Data
• Client Data
• Warranty Data
• Past Client Data
• Profile Data
• Suppliers
• Employees

If you hold any of these or any other data that contains personal information pertaining to any individual, you will be required to keep it to standard.

Lawful Basis

Under GDPR you must document, for each record what your lawful basis for processing that individual’s data is. There are 6 separate lawful bases for processing Personal data;

1. Contract from an individual
2. Compliance with a legal obligation
3. Life or death interest
4. Public tasks
5. Consent from an individual
6. Legitimate interest

We go into further detail for each lawful basis in our Processing Personal Data Under GDPR post.

You will need to demonstrate your compliance with GDPR, and you will need to keep full documentation of processes and communications etc to ensure you can justify your lawful basis.

One of the most important aspects of GDPR is consent. Nothing new in itself, although most marketing done today is done on an ‘opt-out’ basis. However, companies can no longer market on this basis, rather now individuals need to be ‘opt-in’. They must gain explicit consent from an individual, or have completed a legitimate interest assessment (LIA) for that individual.

Demonstrate Compliance

Another key implementation of GDPR is the requirement to demonstrate compliance. GDPR includes provisions that promote accountability and governance. Whilst the idea of an audit trail has been a part of data protection laws and regulations in the past, GDPR places an emphasis that greatly elevates their significance. You must:

• Implement technical and organisational measures that ensure and demonstrate compliance. This includes;
• Staff training
• Internal audits
• Reviews of existing policies
• Maintain relevant documentation on processing activities
• Where appropriate, appoint a data protection officer (DPO)
• Enforce measures that meet principles of data protection by design and default. This includes;
• Data Minimisation
• Pseudonymisation
• Transparency
• Allowing individuals to monitor processing
• Creating and improving security features on an ongoing basis
• Use data protection impact assessments where appropriate

These measures should minimise risk of any breaches and maintain protection of personal data. This will mean more policies and procedures for organisations; however, many companies will already have some measures in place.

Impact Marketing have the ability and resources in place to help your company prepare your data for GDPR compliance. We have an in-house data bureau, which allows us to carry out the following processes for your data;

• Cleansing
• Appending
• Establishing lawful basis
• Validating

Feel free to contact us to discuss any requirements you may have involving GDPR and/or data. Call us on 0800 999 8030 or fill in our contact form.

GDPR Knowledge base