The General Data Protection Regulation (or GDPR) comes into effect in May 2018. This will replace the Data Protection Act 1998. The main factor that brought this change in legislation about is the need for laws to be aligned with how personal information is being used. If organisations fail to comply with GDPR, they can face a hefty fine.
As digital marketers, the most important element of this change relates to how we store user’s data. Many of us have CRM systems that contain personal information about our customers. With this in mind, we have compiled a list of six things you need to know as a digital marketer about GDPR.
Explicit consent is required
The threshold of consent is now higher. When users are giving their personal information, explicit consent is required. This means that you must use a positive opt-in and a clear statement of consent. Consumers must be able to read this and understand exactly what they are signing up for. It is important to keep a record of this consent.
Users have the right to access their data
Users have the right to access their data at any time. This means that you are obligated to provide a free copy of an individual’s data if they request it. Customers can also request this data in an electronic format.
Users have the right to be forgotten
Individuals also have the right to be forgotten. This is also known as the ‘right to erasure’. This means that customers can request for their personal data to be removed. You have one month to respond to this request. It is useful to know that this right only applies under certain circumstances, further details of which can be found on the ICO website.
Users must be notified of data breaches
Users and data controllers must be notified of data breaches. A data controller is someone who determines how the data is used and the way in which the data is processed. This means that if there are any breaches such as hacks or leaks, both the person or business who is using the data and the individual to whom the data belongs must be notified.
Consider GDPR when designing new systems
Complying with GDPR must now be considered when designing new systems. This applies if your business activity includes using personal data, creating legislation or strategy that presents privacy implications. Now, the implications of GDPR must be considered at the beginning stages of these projects.
Appoint a data protection officer
If your organisation is a public company or your activities centre around data, you need to appoint a data protection officer. This applies specifically to if you are a public authority or your activities require large-scale monitoring of individuals. It also applies if business activity centres around processing data relating to criminal convictions on a large scale.
It is good to bear in mind that a number of CRM management systems such as MailChimp and Campaign Monitor have made changes already to align themselves with GDPR but make sure to check with your system.