GDPR has been looming for a while now, but today it is on our doorsteps. It’s not just soon; it’s tomorrow. Is it time to panic, as seems to be the prevailing belief? No, definitely not! Whether you have started your transformation programme or not, here is some advice for this week:
Although we are all being bombarded with re-consenting emails, if you have assessed your contact database and have decided, using the ICO guidance, that you are compliant up to GDPR standards (helpful blogposts on that here, here, and here even if I do say so myself) don’t feel pressured to follow suit as it will likely mean a huge blow to your contact list for no compliance gain.
It does seem as though a few organisations are sneaking through consent emails to people who they only had either a tenuous relationship in the past, or no relationship at all (I can say I've personally had a few from companies I've never heard of!), and although it can seem a tempting strategy to use to bump marketing list numbers up, any complaints received by the ICO during this time will still be looked at (although likely a bit late) so the risk of being found to be in breach by the ICO and being fined for it is still present.
Ignore the Journalists
Ignore absolutely all reporting from anywhere which isn’t from an information law expert. As awareness that people have to do something to do with data protection increases, as does reporting on it. However it is a complex subject, and a lot of the nuance has been lost by reporters. This means editorial oversights, and plain mistakes from respected sources are rampant. To name (and shame) a few:
I could go on for days listing mistakes from well-meaning journalists, as almost every article I have read includes glaring inaccuracies. However, it’s advisable to ignore them altogether to avoid spinning out in a panic. Various negative outcomes can arise from reading them and taking them seriously: From undoing hard work already undertaken because you have read in multiple sources that the measured path you have taken is incorrect, to making rash decisions about what needs to be done going forwards if you haven’t started your change programme yet.
If you have yet to get your change programme in place to uplift your organisation to GDPR standard, hopefully all the emails and hype about it this week will help push the need for it internally. However, it is highly unlikely you will be bombarded with rights to erasure requests come Friday, so prepare for the change programme using reliable sources and your knowledge of your organisation, rather than attempting to enact it in a panicked few weeks (or even days). Rushed compliance will lead to mistakes and may be costly for several reasons: In overdoing it (not all of your systems will need APIs to adhere to data portability requirements! Possibly none will), underdoing it (doing a rush job of it now will likely mean less interest or funds to become compliant later), or doing it wrong (take your time to take stock of what information you have, what requirements apply to you, and how to implement it into your business in a way which will fit into your culture).
Yes, GDPR is a 'big deal', and yes it is here tomorrow, but there is no need to panic. Especially if your own change programme is well underway!
With all the focus being on GDPR implementation coming up to the 25th May, it would be easy to think that implementing the regulation and moving your change programmes more into business as usual would be the end state of privacy legislation, at least for now. Unfortunately change is in the air, and there are quite a few things organisations need to keep an eye out for, namely:
GDPR Case Law
Assumptions and organisational bets have been made around exactly how to interpret some of the more vague aspects of the GDPR (looking at you legitimate interests for marketing!), which will be sorted out through case law and ICO enforcement notices. It will be interesting to see how lenient the ICO is with fines and exactly what stance they take on issues which have been hotly, but up until now, hypothetically contested. Although points of law can be appealed if your organisations has a decision made against it by the ICO, it is nonetheless prudent to ensure your organisation learns from others mistakes to avoid getting a similar fine.
The replacement for PECR is coming up, and is more far ranging with less scope for nuance (or at least it’s draft form is!), this will be one to watch especially for digital marketers as well as any of the new ‘smart’ technology such as smart meters or other ‘internet of things’ services. Organisations will have to carefully implement technical changes where they apply, such as collecting less metadata around location for communications content, changes to cookies, and changes to how you can contact people.
Restriction of Model Contract Clauses to exclude the US
As discussed in a previous blog post there is highly likely to be a decision which means that the US is no longer able to use Model Contract Clauses, which is the legitimisation route most companies use when dealing with businesses outside of the EU. The new Facebook debacle has likely brought this forward somewhat, although it has been ongoing now for some time. This makes a Privacy Shield certification a much bigger priority if US companies want to do business with the EU, and would also mean that any data processors who process in the US would need to be reviewed with fresh eyes.
Data Protection Bill
The Data Protection Bill should be read side by side with GDPR and adds provisions where the GDPR allows to areas such as immigration, and is especially important for those in law enforcement or national security, however it also details more powers for the ICO. As was in the news this week, there are still considerable amendments being made to the Data Protection Bill, and at lot more discussion to be had about what makes it into the final text as it seems to be a medium for stirring up controversy from freedom of the press to immigration enforcement. As it is now it in the final strait in order to become law it won’t undergo a full revamp, but some surprises could yet be in store. It is certainly a document with implementation ramifications which a lot of organisations will want to pay attention to.
Supervisory Authority Guidance
The ICO releases some great pointers on how to comply with information law, but so far updated guidance for GDPR hasn’t been particularly comprehensive, this may be purposeful as there are so many other changes afoot, it may have been decided it is prudent to wait until the dust has settled to write authoritative guidance. Once the Data Protection Bill and e-Privacy Directive are through I would expect an increase in helpful guidance from the ICO, which may be radically different from how a given organisation has implemented GDPR. There are also other powers and responsibilities under GDPR that the ICO will need to fulfil which need to looked out for such as standard data protection clauses for international data transfers which would presumably supersede the current Model Contract Clauses. The ICO’s blog and published speeches are a great way to head off differences in implementation by the regulator as their stances are often alluded to much earlier than official guidance is released.
Codes of Conduct
Referred to explicitly in Article 40 of the GDPR as a way to stimulate proper application of the legislation, these have yet to rear their head. It’s not just the ICO who can write these, governing bodies of different sectors can also write these too, however it would need to be in conjunction with and signed off by the ICO. Look out for bodies such as the Financial Conduct Authority, Fundraising Regulator, and the Direct Marketing Association releasing official privacy Codes of Conduct.
You may have been getting a lot of emails recently; likely from recruitment companies and retailers detailing that they have you as opted in on their marketing systems and that they would like to keep marketing to you, but you’ll need to let them know you are still happy for them to. These are examples of organisations ‘refreshing’ consent, or uplifting their 'consents' to meet GDPR compliance levels. You may need to use the same approach for some of your contacts, however don’t worry– you likely won’t need to do it for all contacts. The below discussion is for 'BAU' marketing only, i.e. consent to receiving all marketing communications.
This uplift is being spurred on by GDPR, as although the Privacy and Electronic Communications Regulations (PECR) are the main legislation for electronic marketing, you also have to comply with GDPR. PECR does not specifically say you need a positive indication like a tick box for consent, and neither did the DPA. However, with a few exceptions for legitimate interests (and as the ICO has stated, only to be used sparingly), GDPR states that consent needs to be shown with an affirmative action. This means no more soft-opt ins in BAU marketing, or 'implied' consent.
Do I need to do it for everything?
No – just your 'soft opt ins', or things for which you don’t know if you asked a GDPR compliant question. As the Article 29 Working Party have noted: ‘Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR’. This is where good records management practices will pay dividends, because if you have details of all the questions you have asked to gain your consent, and they are GDPR compliant (as per my last blog post) then you are good to go. No refreshing needed here! However, this is also where not so good records management practices are going to sting you. You’ll need to hunt around your approvals or web design records to try and find the questions, and the manner that they were asked (no pre-ticked boxes!). If you can’t find any, or you have found them and none of the questions are compliant (they are all opt out, or have pre-ticked boxes for example) then you'll need to refresh all of your data. As discussed in the first of the GDPR debunking blog posts, you don’t actually need consent to contact customers in a lot of circumstances, only for marketing.
Isn’t asking people if they want to be marketed to considered marketing?
Before the 25th May asking people who you market to compliantly under the DPA whether they still want to receive communications is fine, as we are still operating under that legislation. Afterwards, it will likely be seen as very similar to the Honda situation, where you are asking borderline or grey area contacts whether they want to be marketed to. This is not viewed lightly by the ICO, and is likely to get you a fine. The fine Honda received was £13,000 of a possible £500,000. This tells us that it was not seen as a particularly severe breach of PECR, but a breach all the same. If you want to do it right, and risk free, it is advised that you do it before the 25th May.
What about refreshing consent to keep it up to date?
This guidance is from draft GDPR guidance on consent from the ICO and isn’t necessarily in the GDPR. The background to it is explored in detail in my previous blog post. The time limited aspect is mentioned in PECR – as it is implied you can’t keep the consent indefinitely. How long the consent is kept for will depend on your relationship with a customer, client, or supporter. If a person has consented to marketing and is using a continuous service such as water or electricity, or they are a registered supporter who has a longstanding monthly donation for a charity, this will need to be treated differently than a person who consented to marketing when they made a one off purchase, such as at an online retailer. It is likely a safe bet to assume that if a customer has consented to marketing at the start of a relationship, and that relationship is ongoing, that the consent doesn’t need to be refreshed until after that relationship is over.
Next week, RiverWolf will be looking at GDPR Mania in the run-up to GDPR implementation on the 25th May.