Guides

Data HQ’s complete guide to the GDPR

Data quality & GDPR
Laptop

By Tim Holt 34 min read

Yellow lightbulb icon

1. What is the General Data Protection Regulation?

Overview of the GDPR

The GDPR is a new piece of legislation brought in by the EU. It came into force on May 25, 2018, and replaced the previous 1995 Data Protection Directive. The Data Protection Act 2018 is the UK’s interpretation of the GDPR.

The Information Commissioner's Office (ICO) regulates and enforces the GDPR in the UK. The ICO has the power to conduct investigations and issue fines.

Ultimately, the purpose of the GDPR is to strengthen and standardise data protection law across all EU countries. It alters how organisations can handle the information of their customers by imposing strict new rules on controlling and processing personally identifiable information (PII). It also boosts the rights of individuals and gives them more control over their data.

“User confidence is crucial for digital economy. Customer as a product and unsafe privacy are not sustainable business models. Digital is sophisticated enough to combine Security, Convenience and Personal Privacy.” Stephane Nappo


What has changed?

Designed to modernise laws in the face of rapid technological changes, the GDPR is the most significant change to data privacy regulations in over two decades.

Some of the fundamental changes under the GDPR include:

  • Wider scope. The GDPR applies to all organisations that process the personal data of people living in the EU, regardless of where that organisation is based
  • More data caught. The GDPR has a broader definition of personal data compared to previous laws
  • Suppliers are affected. The GDPR directly regulates data processors for the first time. Data processors are companies and individuals that process data on behalf of an organisation (the data controller)

TIP: Your suppliers will need to be reviewed and assessed to determine current compliance with the GDPR.

  • Tougher fines. If you do not comply with the GDPR, you could face fines of up to €20,000,000 or 4% of your total global annual turnover for the preceding financial year
  • Dealing with breaches. You have 72 hours to notify the ICO about a data breach (unless the violation is unlikely to result in a risk to the people whose personal data was breached)

TIP: To avoid fines of up to 10 million euros or 2% of annual worldwide turnover, it is safer to report all breaches. Sweeping breaches under the carpet is now extremely high risk.

  • Enhanced rights. The GDPR provides more rights to individuals. This makes it easier to claim for damage if these rights are breached. More about these rights later in this guide
  • New roles. Large data controllers must appoint a Data Protection Officer
  • A higher bar for lawful processing. The GDPR introduces much more restrictions on when data processing can be justified. More about lawful processing later in this guide
  • Transfers. Transfers of personal data to countries outside the EU are only permitted where the conditions laid down in the GDPR are met
  • Accountability. Data governance is no longer just about doing the right thing. Instead, organisations must be able to prove that they have done the right thing.

While the GDPR has brought in big changes, the UK's Information Commissioner, who is in charge of data protection enforcement in the UK, has warned that there is still more to do.

"It's still an evolution, not a revolution". Elizabeth Denham, Information Commissioner

Who does the GDPR apply to?

The GDPR covers any individual, organisation or company that either controls or processes personal data. It doesn’t matter whether you are based in a EU country or not. If you process, store or transmit personal data belonging to EU residents, then you are required to comply.

However, the GDPR does not apply to people who process personal data exclusively for personal or household related activities. You are not going to be fined by the ICO if you keep details of your friends and family on your computer and are subsequently hacked. And it doesn’t mean that nobody is is legally allowed to email you ever again!

TIP: If your firm employers fewer than 250 you still have to comply with the GDPR, but you only need to document processing activities that are not occasional, that could result in a risk to the rights and freedoms of individuals, and/or which involve the processing of special categories of data or criminal conviction and offence data.


What are the penalties for non-compliance?

There are two levels of fines under the GDPR:

  • Up to €10 million, or 2% annual global turnover – whichever is higher (e.g. for failure to report data breaches in time)
  • Up to €20 million, or 4% annual global turnover – whichever is higher (e.g. for serious data breaches).

The fines are discretionary and will be imposed on a case-by-case basis.

Myth: The GDPR is about imposing huge fines on organisations.

Fact: The ICO is committed to guiding, advising and educating organisations about how to comply with GDPR.


The GDPR after Brexit

The General Data Protection Regulation will form part of UK law following the country’s withdrawal from the European Union.

“Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.” The Queen’s Speech, 2017

Find out more about how the GDPR will still be relevant in a post-Brexit Britain in our blog.

2. What is personal data and what can you do with it?

What is personally identifiable information (PII)?

Personal data is anything that relates to an identified or identifiable individual, and is:

✔ Processed electronically; or

✔ Kept in a filing system; or

✔ Part of an accessible record; or

✔ Held by a public authority.

This includes names, numbers and other identifiers such as an IP address. If it is at all possible to identify an individual from the data you are processing, it is classed as PII under the GDPR.

However, it is more complicated than that. Because if you can identify an individual from a piece of information, together with another piece of data you are processing, then it is still classed as personally identifiable information (PII). You must take into account all the information you have access to together.

The GDPR does not cover information which is truly anonymous (although you should be careful about pseudonyms which can still relate back to an individual).

Research from the DMA found that consumers now feel more comfortable sharing their data than ever before. 62% said their confidence about sharing data with businesses had been improved by GDPR.

What is sensitive/special category data?

Under the GDPR, personal data also includes special categories of personal data. This includes information on:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex life
  • Sexual orientation.

As this information is considered to be more sensitive, you may only process it in certain circumstances. You can find out more about when it is appropriate to process special category data on the ICO’s website.

There are also separate safeguards for personal data relating to criminal convictions and offences.

TIP: It can be easy to identify some sensitive information about a person by seemingly innocuous means. For example, a person’s religion might be identifiable through their dietary choices (e.g. collected by you when organising an event).

3. How organisations should handle personal data

Data processing principles

When it comes to processing personal data, the GDPR has seven principles.

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

If you meet (and can demonstrate that you meet) these seven principles, you are well on your way to being compliant with the new regulation.

Principle

What this means

Lawfulness, fairness and transparency

You must identify a valid ground (known as a ‘lawful basis’) for collecting and using personal data. You must ensure you do not do anything with the data in breach of this basis, or any other laws.

Purpose limitation

Data should be obtained for specified and lawful purposes. You must clearly identify and document your purpose(s) for processing the personal data. You must review these processes regularly and update any documentation accordingly. Data must not be further processed in a way that is incompatible with those purposes.

Data minimisation

You must only collect the specific personal data you need for your specified purpose(s). The data should be adequate, relevant and not excessive. You must review this data periodically and delete anything you don’t need.

Accuracy

You must ensure the accuracy of any personal data you hold. You must identify when you need to update data to ensure it remains accurate and update as necessary. You must record any mistakes in data and comply with the individual’s right to rectification.

Storage limitation

You must carefully consider how long you keep personal information. You should hold regular reviews to identify the data you hold and erase or anonymise it when it is no longer needed. You must have appropriate processes in place to comply with the individual's’ ‘right to be forgotten’.

Integrity and confidentiality (security )

You must have appropriate security measures in place to protect the personal data you hold.

Accountability

You must take responsibility for what you do with personal data and how you comply with the other principles. You must be able to demonstrate this compliance.

4. Consent and lawful bases for processing data

Do you need consent?

“I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get GDPR right when it comes into force.”

Elizabeth Denham, UK Information Commissioner

Myth: You must have consent if you want to process personal data.

Fact: Consent is one way to comply with the GDPR, but it’s not the only way.

The GDPR sets a high standard for consent. But the new rules only apply if you are relying on consent as your basis to process personal data. And, while consent is one way to comply with the GDPR, it is not the only way (more about this next).

GDPR checklist: If you are using consent as the basis for your email marketing make sure you have:

  • Documented consent as your lawful basis for processing
  • Asked people to opt-in and made your request for consent prominent (and separate from your T&Cs)
  • Specified why you are asking for the data and what you are going to do with it
  • Used clear language that is easy to understand
  • Not used pre-ticked boxes (or any other type of default consent)
  • Provided separate and distinct options to allow people to give consent to different purposes and types of processing
  • Provided details about who will be using the data (including any third-parties)
  • Let individuals know that they can remove their consent at any time (with details about how to do this).

In addition, you must:

  • Act on withdrawals of consent as soon as possible
  • Not penalise individuals who wish to withdraw consent
  • Put age-verification and/or parental controls in place if seeking consent from children
  • Avoid making consent a precondition of service
  • Keep a record of when and how you got consent from the individual
  • Review and refresh consents regularly.

However, you needn’t seek expressed consent if there is any other lawful basis to obtain data.

What are the lawful bases?

Under the GDPR, you must establish a valid lawful basis to process personal data. The six available lawful bases are:

  1. Consent. This usually (but not always) requires a positive opt-in. You can’t use pre-ticked boxes or another default method of obtaining consent
  2. Contract. You can use this basis if you need to process someone’s personal data to carry out your contractual obligations with an individual, or because they asked you to do something (e.g. provide a quote)
  3. Legal obligation. You can use this basis if you need to process personal data to comply with a law or statutory obligation
  4. Vital interests. You might be able to use this basis if you need to process personal information to protect someone’s life. This only applies to matters of life and death
  5. Public task. You can use this basis if you need to process someone’s personal data in the exercise of public functions and powers ( Most relevant to public authorities) or to perform a specific task in the public interest, in either case, the function/task must be set out in law
  6. Legitimate interest. This is the most flexible lawful basis for processing. Legitimate interest is appropriate where you use people’s data in ways they would reasonably expect and which has a minimal privacy impact. It also applies where there is a compelling justification for the processing.

How to decide what basis applies

The ‘right’ basis will depend on which is most appropriate to the task. However, as a rule of thumb, most bases demand that the processing is ‘necessary’. If you can reasonably achieve the same result without it, it is unlikely that you will have a lawful basis.


How to document your bases

As well as considering how you will legally process the data, whether that be consent or legitimate interest, draft a privacy policy/notice.

GDPR checklist: The starting point of a privacy notice should be to tell people:

  • Who you are
  • What you are going to do with their information
  • Who it will be shared with
  • Their data subject (individual) rights
  • How they can contact you to exercise these rights
  • The security measures in place to safeguard their privacy
  • The different ways you will use their information.

You should also provide a clear and simple way for them to see the different types of processing. This could look something like this:


Lawful processing

The purposes and reasons for processing your personal data include:

The purpose for processing data

Legal basis

Collecting and storing personal data to respond to a sales enquiry

Contract

Collecting and storing personal data in the performance of a contract, or to provide products/services

Contract

Collecting and storing personal data to provide reports/updates on services/products provided

Contract

Collecting and storing your personal data as part of our legal obligation for business accounting and tax purposes

Legal Obligation

To process and respond to complaints

Legal Obligation

To bill for services/products and obtain payment

Contract

To communicate with you about updates, news, and events that are relevant to your interests and in line with your preferences

Consent

To market our goods to existing customers to increase sales

Legitimate Interest

To monitor and record information relating to the use of our website.

Legitimate Interest

Understanding legitimate interest in B2B

Put simply, in most cases there’s no need for consent when emailing business contacts and corporate businesses. In fact, since the GDPR, very little has changed. The main difference is a few more layers of policy and process to make it clearer to people why you might be processing their personal data.

The Privacy and Electronic Communications Regulations (PECR)* currently governs email marketing and, in a B2B environment, there is an exemption under PECR for employees of corporate subscribers. This means you can use legitimate interests to send a marketing email to these individuals without their prior consent. But sole traders and non-incorporated partnerships would require the same level of consent as a consumer.

However, if you do use legitimate interest rather than consent as your lawful basis, there are three steps you must carry out.

GDPR checklist: there are three necessary steps to compliance:

  1. Purpose test (is there a legitimate interest behind the processing?)
  2. Necessity test (is the processing necessary for that purpose?)
  3. Balancing test (is the legitimate interest overridden by the rights of the individual?).

So, all you really need to do is document your assessment, justify your decision, and tell the individuals affected what your legitimate interest is (e.g. in your privacy notice). And, while it is not enough to rely on vague or generic “business interests”, even the ICO states that the “the interests do not have to be very compelling”.

Here is one accepted example provided by the ICO: “we have a legitimate interest in marketing our goods to existing customers to increase sales”.

What’s more, the ICO also states that the need for processing to be ‘necessary’ doesn’t mean ‘essential’. It must, however, be a targeted and proportional way of achieving your objective.

*The EU will be releasing a new ePrivacy (ePR) regulation but until then PECR will continue to apply.


However, a word of caution, sending spam emails is a breach of electronic marketing rules and is not considered legitimate. You should also stop cold email marketing to sole traders and partnerships without prior consent.

Find out more about Understanding Legitimate Interest in our recent blog.

Understanding legitimate interest in B2C

If the recipients are B2B and they are existing customers or prospects, then post-GDPR, very little has changed*. For the most part, you can rely on legitimate interest to continue marketing to people. However, the situation is slightly different for B2C prospects.

Under legitimate interests, it is possible for B2C marketers to contact customers with a new offer or details of a product. However, they should make sure that the content is relevant and appropriate based on past purchases. The trick is to think about this sensibly.

*Sole traders and non-incorporated partnerships require the same level of consent as consumers.

Do you need help understanding legitimate interest? We offer GDPR advice to help keep you compliant. Call us on 01245 807470 today and speak to a GDPR Expert.

5. How the GDPR can improve email marketing

With the GDPR, it is clear a lot of businesses are now getting to grips with their due diligence. However, it is important to understand that the GDPR presents many opportunities for both B2B and B2C marketers. As such, businesses should be reviewing their marketing techniques to improve the targeting of their email databases.

According to Deloitte, 61% of respondents believe that GDPR has its benefits beyond just implementation. Of those, 21% expect significant benefits, including competitive advantage, improved reputation, and business enablement.

Implications of the GDPR for B2B email marketing

B2B marketers are now settling into their new data protection-focused routines. Those who understand how the GDPR positively impacts B2B marketing lists continue to thrive with their email marketing and generate leads for their businesses. However, those who have misunderstood the GDPR may have seen their leads dwindle, sales hit the buffers, and business growth stalling.

The bottom line is that the GDPR doesn’t have to have a dramatic impact on the way you do business.

Read more about the correlation between compliant email marketing and keeping up with the GDPR in our blog, B2B Email Marketing and GDPR : What You Need to Know.

B2B marketing activities permissible under the GDPR

When it comes to the GDPR, cold B2B email marketing (such as renting marketing lists) and telephone marketing, what activities are legal and what aren’t?

B2B marketing activities permissible under the GDPR

  • Cold email marketing to limited companies, and employees of, PLCs and corporate organisations such as public sector, charities associations etc.
  • Cold telephone marketing to the business number of the above, except when the number is registered on CTPS/TPS or the message is pre-recorded.

B2B marketing activities not permissible under the GDPR

  • Cold email marketing to sole traders and non-incorporated partnerships without their prior consent to receive communication from your company.
  • Cold telephone marketing to sole traders and non-incorporated partnerships using pre-recorded calls or SMS marketing without prior consent.

Cold telephone marketing by an actual person (live calls) to any number listed on CTPS/TPS (or if that that person has objected to your calls in the past). You can still make live marketing calls where a number isn’t listed and no objection has been made.

Opt-in for B2B email marketing

The facts


  • Opt-in is not required for B2B data (apart from for sole traders and partnerships)
  • There’s no requirement under the GDPR to have a double opt-in process
  • You must provide an easy route to opt-out.

Ways the GDPR is improving B2B email marketing

Increased customer confidence

Now more than ever, consumers are aware that their personal data is valuable to businesses. Ultimately, this new level of transparency should lead to customers trusting brands more and having the confidence to share more data.

Reduced negative PR

Additional data protection and security regulations benefit both customers and brands. No business wants to deal with negative PR.

Positive business change

With change comes opportunity, so the new regulation presents the chance to transform your business culture and processes for the better.

Raise the profile of marketing

With marketing taking the lead in developing a privacy culture, it should highlight the importance of marketing among senior leaders and increase the credibility of the function within the business.

Want to know why the GDPR is a good thing for B2B marketers? Read more about the benefits and opportunities of the GDPR for marketers in our blog.

Implications of the GDPR for B2C email marketing

Despite all the noise about the GDPR, rules around ePrivacy are perhaps even more important when it comes to B2C email marketing.

The Privacy and Electronic Communications Regulations (PECR)* provides people with specific privacy rights in relation to electronic communications. And, together with The Data Protection Act and the GDPR, there are some significant changes when it comes to launching B2C email campaigns.

For consumers, the GDPR provides more control over what happens to their data. As such you must get the specifics of your opt-in statement right. Be clear and unambiguous.

You should also get as many people as possible to opt-in to your future communications. For example, have a pop-up on your website, run double opt-in campaigns and if you host events ask attendees to opt-in for further info (e.g. slides).

*The EU will be releasing a new ePrivacy (ePR) regulation but until then PECR will continue to apply.

B2C marketing activities permissible under the GDPR

For modern B2C marketers, the key is to ensure that consent has been given when marketing to individual consumers. However, the ‘soft opt-in’ may still apply to your existing customers. For example, if the customer has:

✔ Recently purchased a product or service from you

✔ Willingly given you their personal details

✔ Not opted-out of marketing communications (assuming that you provided a simple opt-out process).

However, if you previously had bundled consent, a vague or soft opt-in, or assumed or implied consent, it may now need to be granular and specific.


What is a soft opt-in?

The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (e.g. from bought-in lists). It also does not apply to non-commercial promotions (e.g. charity fundraising or political campaigning).

Source: ico.org.uk

TIP: You must give your recipients clear and fair opportunities to unsubscribe from your emails or mailers. Recipients will expect to be able to easily locate the unsubscribe instructions or link – normally in the footer of your piece.

Opt-in for B2C email marketing

The facts


  • Opt-in is required for new B2C data
  • The ‘soft opt-in’ may still apply to your existing customers
  • Silence, pre-ticked boxes or inactivity should not constitute consent
  • Specific choice opt-in is required for B2C data
  • There’s no requirement under the GDPR to have a double opt-in process
  • Double opt-in is a good idea when you are collecting new data
  • You must provide an easy route to opt-out.

Ways the GDPR is improving B2C email marketing

Investment in data

The GDPR is going to force all B2C organisations to look after the personal information they hold with much more care. And, rather than moaning about the headache, savvy marketers are taking the opportunity to invest in best in class software that ensures 100% compliance. But such software won’t just help meet your data protection obligations; it can also add a new dimension to email marketing and legally turn insights into actionable improvements and innovations.

A focus on quality contacts and data

Under the GDPR, it’s not illegal to send marketing emails to contacts; you just need their consent to do this. So, this should put an end to spam and make us all focus on building relationships with people that want to talk to us. Think quality, not quantity. Crucially, this approach should also encourage people to share more information with you. Data that you can use to further enhance and focus your B2C marketing activities.

Enhanced brand loyalty

Rather than sending out emails using a scattergun approach, B2C businesses will have to think hard about what their customers will find interesting. Such compelling communications will make people love your brand and create more valuable relationships.

Personalising your marketing campaigns

Post-GDPR, targeting your email subscribers and sending them personalised, relevant emails remains a great way to connect with the people on your email lists. And this is true for both B2B and B2C contacts.

Research from the DMA found that that 57% of consumers prefer some form of personalised marketing.

However, remember not to go overboard when using personalised fields as this can be perceived as intrusive. It’s more important to craft an email that sounds as if it was written by a real person for a real recipient.

If you’re looking to personalise your email marketing consider the following:

  • What are your objectives? You don’t want to throw in a contact’s first name simply because you thought it was fun. Make sure it helps you achieve your goals, whether that’s to boost your engagement rates, likes, email opens, etc.
  • Is your data accurate? Your personalisation will only succeed if your data list is up-to-date, clean and accurate
  • Are you using email campaign personalisation naturally? Personalised content should feel natural. Does it makes sense for the goals of your campaigns or is it just ‘for the sake of it’?
  • The importance of testing. After you create your emails, send a test to yourself to make sure the right information is being pulled in correctly. If a subscriber’s first names should appear, confirm that’s actually happening.

TIP: Make sure your data is clean and accurate. There is nothing worse than an email with the wrong name or <test> in place of the recipient’s name!


What to ask for when purchasing data

You can continue to buy or rent marketing lists now that the GDPR has come into force.

However, new data lists will be much smaller and higher value. Also, as a buyer, you must make sure you know the data you’re buying meets an appropriate legal basis required for the type of marketing; particularly if you’re marketing to B2C contacts.

If you are buying data, your partner of choice will be crucial to the effectiveness of your goals. Be prepared to question and test your prefered data supplier to safeguard yourself against poor and inaccurate data lists.

When making a shortlist, consider asking around to see who has had success working with the particular data provider you are working with.

Here are some questions to ask your potential marketing list providers:

✔ How is their list researched?

✔ How often is the list updated?

✔ How is it updated?

✔ Where do they find the information?

✔ How is it verified?

✔ Is it GDPR compliant?

Make sure you buy from reputable sources and insist on receiving the provable audit trail and carry out the necessary due diligence, too.

Worried about compliance? Check out these questions to ask your data supplier.

6. The rights of individuals

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Right

What this means

The right to be informed

Under the GDPR, people have the right to be informed about the collection and use of their personal data. So, you must let people know why you are processing their information, your retention periods for that data, and who it will be shared with. You must do this when you collected data from them and let them know what you are doing using clear and plain language.

The right of access

Individuals have the right to access their personal data (referred to as subject access). You should have a policy in place for dealing with such requests (and know how to deal with requests that disclose information about other individuals). You should respond promptly (within one month), and you should not charge a fee for dealing with such requests.

Right to rectification

Individuals have the right to ensure personal data is rectified, or completed if it is incomplete. You should have a policy in place for dealing with such requests (and know when you can refuse). You should respond to such requests promptly (within one month).

Right to erasure

Individuals have the right to be forgotten. You should have a policy in place for dealing with such requests (and know when you can refuse). You should respond to such requests promptly (within one month).

Right to restrict processing

In some circumstances, individuals have the right to request the restriction or suppression of their personal data. This means that you are permitted to store the personal data, but not use it. You should have a policy in place for dealing with such requests (and know when you can refuse). You should respond to such requests promptly (within one month).

Right to object

The GDPR gives individuals the right to object to the processing of their personal data (in certain circumstances). Individuals have an absolute right to stop their data being used for email marketing. You must tell individuals about their right to object and have a policy in place for dealing with such requests.

Right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This enables them to transfer their personal data from one IT environment to another safely and securely. To access this right, the data must be processed by automated means either with consent or in the performance or a contract. You must inform individuals of their right to data portability, especially if you are planning to cancel a contract or close an account they have with you. You should also have a policy in place for dealing with such requests (and know when you can refuse). You should respond to such requests promptly (within one month).

Rights to automated decision making (including profiling)

The GDPR applies to both automated individual decision-making and profiling. To comply with the GDPR, you must have a lawful basis to carry out profiling and/or automated decision-making and document this in our data protection policy. You should also explain how people can access details of the information you have used to create their profile and how they can object to profiling, including for marketing purposes.

Tip: If a person changes their name, address or other significant detail, they may appear to be a different contact from the person previously exercising their ‘right to be forgotten’ and may accidentally be included in a new marketing campaign as a result. Ensure that your ‘request for removal’ processes takes into account linked information, so the removal job can be done thoroughly.

7. How to ensure GDPR compliance

Keeping records (contracts and other documentation)

The GDPR includes explicit provisions about documenting your processing activities. This includes maintaining records on things such as processing purposes, data sharing and retention. You should be prepared to make these records to the ICO on request.

GDPR checklist: As a minimum, you should have the following*

  • Documentation pertaining to information audits or data-mapping exercises
  • Information required for privacy notices
  • Records of consent
  • Controller-processor contracts
  • Documentation that sets out where personal data is stored
  • Documentation relating to individual rights and processes for responding to requests
  • Data Protection Impact Assessment reports
  • Policies (e.g. security policies, retention policies and data sharing policies)
  • Records of personal data breaches.

*Smaller organisations have less stringent documentation requirements.

Codes of conduct and certification

The ICO recommends that you use approved codes of conduct and certification to help you to apply the GDPR effectively and demonstrate compliance.

Benefits include:

✔ Helping you to comply with the law

✔Demonstrating that you follow the GDPR requirements for data protection

✔Showing that you are addressing the level of risk relevant to your sector

✔Showing that you are addressing the level of risk relevant to the type of processing you are doing

✔ Inspiring customer confidence

✔Providing a competitive advantage

✔Mitigating against data breaches.

Code of Conduct

Certification

Trade associations or bodies representing a sector can create codes of conduct. Approved by the ICO. If a code covers more than one EU country, the ICO will submit it to the European Data Protection Board (EDPB).

GDPR certification is prepared by certification bodies or competent supervisory authorities. The ICO or the EDPB approve certification. It is issued for a maximum of three years prior to renewal or withdrawal.

Find out more about signing up to a Code of Conduct.

Find out more about obtaining GDPR certification.




Putting the right people in place

According to Econsultancy, 59% of in-house marketers say that their organisations have either appointed or are planning to appoint a data protection officer.

Large data controllers must now appoint a Data Protection Officer (DPO). DPO’s will:

✔ Monitor internal compliance

✔ Inform and advise on your data protection obligations

✔ Provide advice regarding Data Protection Impact Assessments (DPIAs)

✔ Act as a contact point for the ICO and data subjects.

Do you need to appoint a Data Protection Officer? Answer the following questions to find out.

Regardless of whether you are obliged to appoint a DPO, you must ensure that your staff can meet your obligations under the GDPR.


Putting adequate processes in place

GDPR checklist: 10 step essential guide to GDPR compliance:

  1. Understanding. What personal data do you hold? Organise a data audit which will help document what you have, where it came from, and who you share it with
  2. Awareness. Ensure everyone in your business who has access to personal data is aware of their obligations and responsibilities
  3. Communication. Review your privacy policy notices and make any necessary changes
  4. Procedures. Review your procedures to ensure all the individual rights are covered (e.g. how you provide data electronically and how you would delete personal data if requested)
  5. Requests. Plan for how your organisation will handle requests within the new timescales and provide any additional information that customers may demand
  6. Processing. Review the various types of data processing your organisation carries out, identify the legal basis for carrying it out, and ensure this is documented
  7. Consent. Review how the organisation is seeking, obtaining and recording consent and whether any changes are required
  8. Breaches. Ensure the correct procedures are in place to detect, report and investigate any personal data breach
  9. Officers. Ensure there is a nominated Data Protection Officer or someone to take responsibility for data protection compliance
  10. International. Understand which markets your organisation operates within. If this is international, you should determine which data protection supervisory authority you fall under and how you will deal with data transfers outside of the EU.

Auditing your data

Auditing your data is not only crucial to ensure you remain lawful in terms of data protection, it will also ensure that your marketing campaigns remain effective and that your pipeline remains full.

Data accuracy is vital because data decay is inevitable. Auditing your data is essential to ensure better-targeted and less wasteful marketing.

Statistics show frequent changes in data can lead to decay of up to 40% per annum.

Carrying out an audit will provide a clear vision of the current situation. The benefits include:

✔ Identifying out-of-date information for removal (crucial under the GDPR)

✔ Highlighting available enhancements for your existing database

✔ Saving budget and improve customer service

✔ Avoiding contacting customers who are no longer appropriate (crucial under the GDPR)

✔ Improving response rates and ROI.

Find out more about why data auditing is a necessity in our recent blog.

8. How to deal with data breaches

Preparing for a data breach

The last thing you want to think about is the possibility of something going wrong. But the right preparation won’t just reduce the likelihood of a data breaches happening; it will also limit the fallout should the worst happen.

In addition to the 10 step essential guide to GDPR compliance set out earlier in this guide, this means:

  1. Establishing compliant processes for responding to data breaches
  2. Creating early response tactics and strategies to stop a situation from escalating
  3. Preparing response action plans in advance
  4. Establishing investigatory methods (so you can quickly find out what data was leaked and who was responsible).

Recognising a personal data breach

Myth: All personal data breaches will need to be reported to the ICO.

Fact: If it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.

Today, UK businesses must self-report personal data breaches to the ICO unless the violation “is unlikely to result in a risk to the rights and freedoms of natural persons”.

But establishing what type of breach is unlikely to result in such a risk isn’t easy to determine.

“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”

The Information Commissioner’s Office

With a stark rise in data breaches and cybercrime, the question whether to mandatory report will almost certainly become something most business will have to face.

With immediate decisions needed due to stringent timelines on data breach reporting (no later than 72 hours after discovering the breach), it is likely that most businesses will report following any beach, rather than risk hefty fines for failing to do so.

Reporting a data breach under the GDPR

Should a breach occur, it’s vital to resolve the matter as quickly and cost-effectively as possible. This means reporting the breach quickly to help mitigate your legal liability as much as possible.

Before the introduction of the GDPR, there was no legal requirement for organisations to self-report data breaches (although it was encouraged). However, over the last year, there has been a 30% rise in self-reporting. No doubt because of companies getting ready for new regulations.

Businesses and other organisations can report a personal data breach to the Information Commissioner’s Office here.

Recovering from a data breach

To help your organisation to recover following a data breach, look to:

  • Contain the data breach. Identify how the incident happened and take appropriate action to prevent any further damage
  • Assess the risk. As soon as the threat has been contained, take the time to assess how much damage has been done. This includes looking at the type of data involved, the sensitivity of that data, the amount of data involved and its vulnerability (e.g. was it encrypted)
  • Assess the damage. As well as looking at what has been accessed, figure out what you have lost. Have you got a good-quality and recent copy of the data?
  • Notify regulators. As established above, you have 72 hours after discovering the breach to inform the ICO
  • Notify those affected. To protect the data subjects as much as possible you should let them know what has been accessed. This will enable them to put necessary security measures in place (e.g. change passwords). An individual does have the right to launch a compensation claim against your organisation should it fail to look after their data adequately. But not letting people know is likely to make the situation worse and could lead to even larger compensation claims
  • Plan for the future. Putting a robust plan in place following a breach is vital. Both to reduce the impact of the incident and mitigate the risk of any future breaches. Look at how security measures can be improved, and staff made more aware of their responsibilities.

Despite the GDPR, email is still one of the most valuable communication channels available to marketers. It has the highest ROI of any marketing channel and the power to convert your leads and prospects into customers. Crucially, despite all the talk of massive fines, GDPR presents great opportunities for both B2B and B2C marketers. The bottom line? More recipients getting emails they want to receive, and less wasted budgets on cold or irrelevant data. Your email campaigns will be more targeted and see better results.

Share this blog

Our stories and ideas direct to your inbox