Any topic relating to customer data can be tricky.
The key is fully understanding the regulations, doing what is right for the consumer and doing ‘compliance by design’.
General Data Protection Regulation (GDPR)
The GDPR became law on 25th May 2016, but doesn’t come into force until the 25th May 2018.
This will affect all data processors.
Brexit may mean that changes to these regulations is likely to occur again. However, it is certain that there will be some regulations similar to these.
In summary, there is a new definition of what constitutes personal data – it now also includes ‘any information relating to an identified or identifiable natural person’. This means that the majority of online data is now considered personal data – including data such as IP addresses (when put with another bit of data with it, for example).
The regulations also set out a range of new and clarified consumer rights and organisation obligations, including:
- Consumer consent has to be unambiguous. Therefore there needs to be a clear affirmative action.
- ‘silence or pre-ticked boxes’ do not constitute consent
- Some channels may suffer as a result, so statements and wording needs to be optimised to limit impact. It is recommended to assess the impact that ‘opt-in’ may have on the database.
2. Consumers have the right to privacy by default. Therefore permission must be actively collected.
- Opt-in/out boxes cannot be set to ‘in’
- Privacy settings must be set to block contact and consumers must have to un-tick a box in order to receive marketing comms.
3. Consumers have the right to the erasure of personal information (also known as ‘the right to be forgotten’). This is one of my favourite subjects to discuss at the moment.
- Some data can be retained in order to remember you have forgotten but this must be minimised – for example, the customer’s name and the fact they’ve asked to be forgotten
- If the customer forgets they wanted to be forgotten, the latest consent will always override previous requests.
4. Consumers have the right to data portability. Therefore it should be easy for consumers to switch providers.
5. Consumers have the right to privacy by design. Therefore data protection must be visibly planned into projects from the outset.
- Data protection assessment must be completed for new tech or new data
- Record keeping and audit trails will be required
- A data protection officer role must be recruited
6. The right to opt-out of profiling and associated processes. Therefore some profiling will now need consent.
- Any automated processing which evaluates personal interests or predicts and analyses people may need consent
- Profiling with ‘legal effects’ will need explicit consent and profiling for direct marketing will need an ‘opt out’ model.
7. A new definition of what constitutes a data breach. Therefore there must be a new process for a data breach.
- Organisations must inform the Information Commissioner’s Office (ICO) no later than 72 hours after the breach has been discovered
- If it is a high risk, it must be communicated with consumers in plain language