As a data focussed company, getting to grips with GDPR is an imperative for Circdata. Having begun the lengthy process of conducting their own Data Impact Assessment under the terms of the Regulations, it has becoming increasingly clear what the implications for their clients are.
Another thing that has becoming increasingly clear is the number of misconceptions, and how, with such an enormous and broad piece of legislations, things can quickly get lost in translation.
It would be correct to say that the regulatory authorities and industry bodies are clearly focussed on the major players (or miscreants). A data breach by an internet provider, a financial institution or healthcare provider, or data misuse by a leading charity create unattractive headlines that only serve to bolster public mistrust of the direct marketing industry. Consequently these are the key industries which are currently being subjected to the most exacting of scrutiny.
Anyone involved in the B2B marketplace would be forgiven for self-interpreting the messages they are receiving as ‘business as usual’. But this is very far from the case because that advice is undoubtedly based on practices which aren’t currently being followed.
The events and publishing industry operates on a quid pro quo basis i.e. you give me your data and I’ll give you something in return, e.g. a free subscription to a magazine or entry to my exhibition. It’s a mutually beneficial arrangement. For the purposes of DPA, and now GDPR this would be considered to be a relationship operated under Legitimate Interests, i.e. there is a relevant and appropriate relationship between the individual and organisation.
Within the status of this relationship, an individual must reasonably expect that they will be sent further offers after they have signed up for a company’s product/service, even in the case of a paid for subscription. The individual must be told this, and given the option to ‘opt out’ at any point if they no longer wish their data to be processed in this way.
It isn’t all good news however. If you have been processing your data under Consent (i.e. you’ve been using lots of little tick boxes) then you are not permitted to claim processing under Legitimate Interests post implementation, so you still need to get your data in order before 25th May 2018 to continue using it. And, if you continue blasting your databases with masses of inane email messages then your opt-out/unsubscribe rates are going to rise – so it is time to reassess this strategy as well.
Meanwhile, remember that for most organisations, marketing permissions isn’t the thing you should be most worried about where GDPR is concerned. Your data security is. As one speaker at last week’s EventHuddle put it:
Remember that the minute you download an unsecured spreadsheet of Personal Data* onto an unsecured laptop you are in Breach
If you are still permitting data to migrate through your organisation via Excel, with no checks and balances on who can see it, then this statement should send shivers down your spine.
*Personal Data – any information that identifies an individual person.