The date circled in many people’s diaries for quite some time now, 25th May, is nearly here. Rob Stone, our Head of Digital, helps navigate you through some of the bigger concerns around GDPR.
As most people know by now, 25th May sees a major upgrade to the EU’s overarching data protection framework. Yet even with this date 24 hours away, there is still a large amount of disinformation and confusion about what these changes mean for businesses.
Here are 3 myths still doing the rounds:
- It’s all over on May 25th
Just like the lead actor says at the end of a Hollywood blockbuster that has a smart commercial eye on a lucrative sequel, this is only the beginning.
A lot of our clients are understandably working hard to be prepared for May 25th, but GDPR compliance will be a constant feature of marketing until some other legislation comes in to replace it.
It seems likely that genuine regulation will be in force from that date, but the regulators are committed to being fair and proportionate. Any organisation showing that they’re making an ongoing commitment to understanding the data they have on customers, putting robust processes in place and maintaining proper security and training programs should be fine.
- It’s all about consent
Consent is clearly an important factor in marketing communications and typically what best practice would have dictated long before GDPR was even on the horizon, but while GDPR requires a higher standard for consent, current data privacy laws have always required a clear, active opt-in at the point of data collection.
GDPR simply removes the grey areas and clarifies what consent actually entails, for example specifying that pre-ticked opt-in boxes aren’t an indication of valid content or that people should have regular, easy opportunities to opt-out.
You should however ensure that the consent you have for the data you already hold meets the standard for GDPR, which isn’t the case for many marketing databases. In this case you’ll need to consider refreshing content or deleting the data altogether.
What GDPR really focuses on is having a lawful basis for processing data. Consent is just one of the six lawful bases for processing and the ones that are important to your organisation very much depend on your relationship with the person you are collecting data from and your purpose for collecting that data.
The full guidance on lawful bases for processing data can be found here – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
- GDPR is a revolutionary change
When Dan from IT leans back in his chair, sighs deeply and proclaims that GDPR is a cataclysmic event that will change everything, you can tell him that it’s really just an evolution of existing data privacy laws.
Any organisation or brand that was already adhering to existing data privacy laws won’t have sweeping changes to make. In addition, any marketing teams who operated with best practice in mind may have already been going above and beyond, as was the case with many of our clients.
GDPR doesn’t represent a significant change in attitude from a regulatory perspective. There will be additional work to do to comply with the new regulations in most cases, but if you are already treating sensitive data with care and have no reason for your customers not to trust you, the ongoing impact should not be a huge burden.