The GDPR will affect any organisation that collects and processes the data of any citizen within the EU… so that basically means that almost all businesses will need to comply with it in some way.
But what does it actually mean for you as a digital agency?
The marketing industry will be affected in 3 main areas: consent, the right to be forgotten, and the legal basis for processing personal data.
Consent
The GDPR states that consent must be ‘freely given, specific, informed and unambiguous’ – what this means for you is that something like a pre-ticked box at the bottom of a form ISN’T going to be acceptable anymore.
A specific confirmation to opt-in will be the standard, and not a reliance on people to opt-out.
On top of this, consent can ‘expire over time’. There isn’t a defined limit for this but let’s say that a customer subscribes to a 12 month subscription to something and also opts in to receive marketing communications. If after the subscription period they choose not to renew, then arguably that would also mean their initial consent to receive marketing communications has expired – new consent would be required.
The right to be forgotten
This is where the individual has more control over how their data is collected and used, and so providing them with some means of having their data removed. This could be applied in several situations:
- When there’s no legitimate reason to process their personal data
- When they withdraw consent for it to be used on the original terms
- When it’s been unlawfully processed
Legal basis for processing data
In practical terms what this means is that there will need to be better ‘housekeeping’ – more detailed records will need to be kept so a Data Controller will be obliged to keep records of when and where an individual gave consent and what they gave consent for.
If an individual asks, you have to provide it.
They should also be reminded of their rights and what data is stored on them, and on top of this, records should be kept of when they were last reminded.
So how can you prepare?
The first step would be to audit any data that you already own and to understand how it moves around within the business. You’ll need to understand:
- What data is where
- What consent is associated with it
- Who is processing it so that you can comply with any potential requests from individuals or authorities
I’ve already mentioned the hefty fines associated with non-compliance in a previous article, so unless you think you can afford to take a €20 million hit, it’s time to make some changes.