There’s a lot of confusion and apprehension about the upcoming General Data Protection Regulation (GDPR). Many business owners are worried about what changes need to be made prior to the regulation being enacted and how these changes will affect B2B marketing.
The GDPR is an EU wide regulation that comes in to force in the UK on the 25th May 2018 and is replacing the UK Data Protection Act 1998 (DPA). Although many companies may assume that this new legislation will be hampered by Brexit, the UK government has stated that the introduction of the GDPR won’t be affected by the UK leaving the EU. How Brexit will affect this regulation in the long-term is unknown but for now it’s business as usual.
The overall idea behind the new regulation is to bring all organisations within the EU under the same set of rules- streamlining the process. There is also a notable effort to strengthen data protection laws for the consumer, including both how their data is collected and processed. This is in response to a changing world, with online data protection being more important now than ever before.
Although many of the principles of the original DPA are being brought forward to the GDPR, there are some notable changes.
One example is jurisdiction as the new regulation pertains to the data processing of every resident within the EU. It has been made very clear that this law still applies if the data is processed outside of the EU or even if the organisation collecting the data is based outside of the EU.
Consent is another big change within the GDPR. Previous legislation was slightly vague on the issue of consent which meant companies could bend the rules slightly by hiding the fine print or using jargon and legalise. Now they are obliged to showcase their request for consent in a completely accessible and transparent manner. This same commitment to clarity and accessibility should also be shown for consent withdrawal.
There are a number of data subject rights which have been clearly set out. These include subjects being able to find out if their data is being processed, why it is being processed and where it is being processed. If there is a data breach, subjects should be notified of it within 72 hours of the company being made aware of the breach. Subjects should be given full access to their data if requested. Furthermore, a subject can ask for their data to be erased from the system and this is a requirement of the data holder.
What about B2B?
Many B2B organisations aren’t too worried about the new regulation because it doesn’t specify between B2B and B2C. However, there is another piece of legislation called the Privacy and Electronics Communications Regulation (PECR) which does talk about B2B companies specifically. This legislation is also being overhauled and the new version is bringing in changes that will affect B2B marketing.
One such change is that social messaging, web based email, IOT and VOIP are now going to be treated in the same way as emails, calls and SMS. Another development is that users must be provided with a clear opt in/out option for browser cookies. The rules regarding emails have had a slight change, companies will still be allowed to send marketing messages to existing customers (soft opt-in), however the content of the email can only be about the sale.
It should also be noted that the rules governing these types of interactions may change if a company is interacting with a sole trader, as they would then be considered an individual and the GDPR would kick in.
What about the Penalties?
Supervisory Authorities can and will consider penalties if they think companies are noncompliant with the GDPR. The SAs have many supervisory and corrective powers that they will use if they find evidence of a business not adhering to the new legislation. These include data protection audits, access to premises, access to data, warnings and temporary or permanent bans on processing.
There are serious consequences to noncompliance with the new regulation. These come in the form of fines, ranging from £10 million to £20 million or 2% to 4% of annual global turnover respectively – whatever is higher.
It’s clear that there is still a lot of confusion surrounding the new GDPR and how it applies to B2B marketing and data usage. It’s recommended that business owners complete thorough research and implement any relevant changes prior to the new regulation coming in to force, otherwise they could face a hefty fine.
You can find detailed information on GDPR from ICO (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/) and DMA (https://dma.org.uk/).