What is GDPR?
The General Data Protection Regulation (GDPR) is now in force. GDPR replaces the UK Data Protection Act 1998 and applies to both 'controllers' and 'processors', and is inclusive of organisations operating within the EU, as well as those offering goods or services to individuals in the EU. The enforcement and obligations of GDPR will not be impacted by the UK's exit of the European Union in March 2019.
CIM is committed to enabling marketers and their organisations to correctly handle consumer data creating a marketing advantage for the benefit of professionals, business and society.
Whilst GDPR affects everyone within an organisation, marketers are particularly well placed to ensure GDPR compliance throughout their business. With a superior knowledge of the customer, marketers are able to enter into a dialogue with consumers regarding the changes GDPR will enforce, and understand what customers are willing to tolerate.
Organisations who are found to be in breach of GDPR after 25 May 2018 can be fined up to 4% of annual global turnover or €20 million, whichever amount is larger. This is the maximum fine possible for the most serious infringements, such as not having obtained customer consent to process data. However, the fines are tiered based on the level of severity of the data breach.
Under GDPR, all businesses are required to gain consent for all data collected from individuals, as well as provide clear and comprehensive privacy notices to help these individuals understand how their data will be used. For SMEs, it is particularly important to note that businesses of all sizes need to be able to prove that consent was given if they want to process any form of personal data. Any small business that processes data for a client firm may also have to demonstrate that they have appropriate data-processing controls in place that comply with GDPR.
Whilst GDPR affects businesses of all sizes, large organisations need to consider key areas of the new legislation, such as: reconsent; double opt-in; ensuring existing data is compliant as well as new; using data across European borders; and the new Data Protection Act. These are areas that will receive clarification in the coming months, before GDPR is instated.
The Data Protection Bill seeks to apply GDPR to all of those areas excluded under the GDPR, creating one regime across the board. It also aims to ‘Brexit-proof’ GDPR so that after Britain withdraws from the European Union, GDPR will still work under UK law. However, it is currently unclear when the DPA will come into force, as it requires an order by the appropriate Secretary of State.
A Data Protection Officer must be appointed to a business in the case of an organisation being either: a public authority; or engaging in large scale systematic monitoring or processing of sensitive data.
Articles and Insights
We offer a choice of courses, so you can learn more about GDPR in a way that suits you:
An interactive online course providing guidance on how to ensure your marketing strategy and campaigns are compliant.
Essential Guide to GDPR and ePR for Marketers
A one day course by Duncan Smith, explaining how to deliver successful, lawful, profitable and ethical direct marketing programs.