Rules and regulations around communication are in a constant state of flux, as such, evolution is often necessary to avoid falling foul of new legislation. While most of these mandatory amends are minor, there are occasions where new legislation totally changes the rules of the game. GDPR should be recognized as one of these ‘game-changers’.
GDPR stands for the General Data Protection Regulation and expands upon current data protection legislation in order to:
- Improve the rights of users
- Enhance cyber security
- Extend supervision and sanctions across consumer data
To help you get the key details as easily as possible, instead of reading you could watch the 5 minute guide to GDPR.
The Origins of GDPR
The details around the General Data Protection Regulation (GDPR) were negotiated over the space of four years and adopted by the European Union in April 2016. Replacing the previous EU Directive 95/96/EC and all other EU national legislation around data protection, including the UK’s Data Protection Act 1998, the new rules came into full force in May 2016.
With a two-year grace period built-in to allow companies to adapt, it’s essential business organizations develop their data handling and collection systems to ensure compliance by May 2018.
The Consequences of Failure
The introduction of GDPR has significant implications for the majority of business organizations. Failure to comply in any instance, whether it be through a single individual’s mistake or a company-wide error, has the potential to incur severe penalties. With punishments based upon global turnover, a failure to comply will be costly indeed…
Up to higher of €20m or 4% of worldwide turnover – Breaches of conditions for consent and other basic processing principles, rights of data subjects, ex EEA transfer rules and breaches of DPA orders under “corrective power”
GDPR – Broken Down
GDPR consists of multiple components that determine how data is collected, managed and stored. Here are the big three you need to consider…
‘Right to be forgotten’
This is the big one. Once GDPR is enacted, every single person will have the automatic right to be forgotten. If a contact asks to end their business relationship with you, you’ll have to delete ALL of their personal details, no ifs and no buts. This principle is absolute.
For B2B organizations who have previously collected data without the need to entirely remove contacts, this development is set to create significant challenges. Removing a contact from all platforms and databases is currently a capability few possess, siloes often exist throughout contact storage and achieving total data removal typically presents major logistical challenges.
Implied/Soft opt-in is no longer acceptable
At this moment in time, emails can be sent to existing customers as long as they’ve been given the opportunity to opt out at the time of purchase, this is often referred to as implied consent or soft opt-in.
Unfortunately, under the new rules this soft opt-in will no longer be acceptable, moving into the future, all consent must be explicit. This means that business organizations must be able to provide evidence that the customer has agreed to receive emails. On top of that, this must be done through an action on the prospect’s part, not automatically through a disclaimer.
Under the current rules, the Privacy and Electronic Communications Regulations (PECR) dictate that all company addresses are considered to be ‘Opt-out’ (Germany and Canada aside). As a result, emails can be sent to a company address without express permission as long as they include an option to unsubscribe.
Under the jurisdiction of GDPR, this is no longer the case, business and personal addresses are treated one and the same. The basic rule is, if the information relates to an individual, consent will be required for marketing emails.
On top of this requirement, it is also up to the sender to prove that consent. As such, all data collected must have an audit trail and reveal when the contact opted in and through what means.
There’s no doubt about it, GDPR is set to have wide-ranging impacts on B2B organizations. The way in which these companies manage and collect data will need to change if they are to achieve compliance. This will incur significant cost and will require some to totally change their technological infrastructure.
While there is still over a year remaining until GDPR becomes fully enforceable, wise companies will take action sooner rather than later. If they don’t, they may well find the scale of the changes necessary impossible to achieve before the deadline. It’s a dangerous game to play and one that has no winners. Don’t leave it until the last minute, make plans to comply as soon as possible, or you could regret it.
Find out how improved data capture capabilities could help you achieve compliance, download our Definitive Guide to Content Gating.