The EU General Data Protection Regulation (GDPR) is the most significant European privacy legislation in the last twenty years. It came directly into force on 25 May 2018. The GDPR replaces the EU Data Protection Directive 1995 (European Directive 95/46/EC), strengthens the rights that EU individuals have regarding their data and creates a uniform data protection law across Europe. Brexit will not affect the new regulation as the Secretary of State for Culture, Media and Sport has confirmed that the GDPR will be enforceable from 25
These two words should be echoing in the boardroom of the organization from now on with this new regulation. An organization should ask itself questions such as – What types of personal data do we store? Where is it located? How is it available? Are we protecting data sufficiently? Are we sufficiently protecting the rights and interests of the target? Do we have the necessary approval? And most importantly – Are we complying? Data protection should become a board-level discussion because of the huge burden on organizations to comply and the penalties for those who don't. Where the DPA (1998) was typically stricter on companies operating in the EU, the scope of the GDPR extends globally. If an organization holds or processes data that can identify an EU citizen, it must comply regardless of physical location. It also brings data processors into the spotlight. While the GDPR still focuses on the controller, i.e. who collected it and who dictates its use, data processors such as data suppliers are also under scrutiny in terms of liability.
Many businesses relied on 'implied' consent during the DPA era. This passive approach was used over the next decade until it was overridden during the GDPR negotiations. Often a pre-ticked box was used indicating that they had opted in or allowed third parties to use their data – and if the consumer didn't bother to uncheck the box, implied consent was given. However, the GDPR states that for consent to be valid there must be a “clear affirmative action”. This will mean actively checking the unchecked consent box. However, for clarity and security, an email should follow - for example "click here to confirm your subscription". This created a double opt-in and is a clear sign that they want their data to be used by the company. .
Consumers have the right to request the erasure of their data thanks to the GDPR. All personal data stored about the subject must be deleted unless there is a legitimate need for the business to retain it.
Although the requirement to appoint a data protection officer is new under the GDPR, it is a long-standing element of data protection in Germany. Accordingly, the modified version made it into the GDPR. Companies are required to appoint a DPO if they regularly process huge amounts of personal data or process “special category” data on a large scale (eg race, religion, health – anything considered sensitive)
The penalty for a data breach has increased dramatically from the maximum fine of £500,000 that was allowed under the DPA. The GDPR provides a comprehensive package for data collection, processing and management and should therefore not be breached. Those who do not comply with the GDPR face heavy fines of up to 2% of annual global turnover. Businesses that suffer a serious data breach face fines of up to €20 million or 4% of annual turnover, whichever is greater.
A data breach is more than just the loss of personal information. A breach of security that results in the destruction, loss, alteration, unauthorized disclosure or access of personal information. Breaches vary in severity, so it is important to understand how the organization was breached, what was accessed and how it will affect the rights of the subject(s). Not all violations need to be reported, in some cases they can be dealt with internally without notifying supervisory authorities. However, if the breach is likely to have a "significant and harmful effect on the individual", it must be reported. For example, a data breach that allows unauthorized access to customer transaction data puts entities at risk of becoming victims of identity theft. This should be reported as it poses a threat to the individual's safety. Accidentally changing employee phone numbers on the other hand can be handled in house and not worth reporting.
Prominent Contact will follow best data protection practices. This means that we work closely with our data suppliers to ensure that data is collected in accordance with the regulations. A prominent contact will ensure that all information is current and accurate.
The main change that the GDPR creates for marketing data is the legal basis on which the data can be processed (or used). Although there are six in total, the two most important to marketing are "legitimate interest" and "consent".
Legitimate interest – is the legal basis for the processing of personal data, which the company can use for direct marketing. The business has a legitimate interest in finding new customers; if it balances this interest with the interests and rights of the data subject, it may process personal data for marketing purposes. We believe this means that there should be a clear fit between the product, service or content being communicated, with the individual's role (eg job description), industry or other targeting factor. This relies on high-quality data and strict segmentation criteria. Marketing communications using legitimate interest must then operate on an opt-out or opt-out basis and must comply with other GDPR data processing rules. Prominent Contact will process data based on legitimate interest and provide it to our customers on this basis.
Consent - means that the individual whose data is being processed must provide "opt-in" consent. GDPR means that businesses can no longer rely on presumed consent or pre-ticked boxes – replacing them with a requirement for “express or unequivocal” consent by actively ticking an unchecked box or other “clear affirmative action”. Some marketing data must be processed on the basis of consent, which is detailed in the Personal Data Protection and Electronic Communications Regulation (PECR), which extends data protection obligations to marketing by electronic means, and will continue to apply when the GDPR comes into force. In B2B marketing, this especially applies to sending e-mails to unregistered businesses such as sole proprietors.
We have concluded that it is not possible for our external email data suppliers to obtain consent to the full extent required by the GDPR. Therefore, we will no longer offer email addresses to unregistered companies at this time. The EU Privacy and Electronic Communications Regulation is currently under development and will eventually replace the PECR. We will of course comply with any new guidelines and criteria and can assure you that Prominent Contact will only sell data that complies with these guidelines.
It does not mean that you agree to buy data from Prominent Contact. In order to comply with the GDPR, purchasers of marketing data (email, address or telephone) must also comply with specific ICO and PECR guidelines (for marketing by electronic means). All UK and EU businesses are required to ensure that they process data in accordance with the GDPR, which includes but is not limited to things such as clear and accessible opt-out options for all communications and ensuring proper segmentation when delivering communications (e.g. ensuring that the data subject had a legitimate interest in the subject matter or content of any communication received). For more information please visit ICO Prominent Contact will check with the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers at the point of delivery. All customers must override any internal override files you hold prior to any marketing. After 28 days from delivery, its customer is obliged to check the data according to the TPS and CTPS register. Prominent Contact offers this service separately. Please check the data validation tool.
