As is standard with any legislation, the key approach we take is to understand the intent of the regulation, align and document our internal procedures and then audit to prove compliance and provide evidence to support an external enquiry from a customer or regulator. The first key decision is to review whether either regulation applies to you but for GDPR, if you process EU resident’s personal data, then it probably applies. It doesn’t matter whether you are based in an EU state or not. There are exceptions and these have been detailed in the template if you want to find out more.
The GDPR is a regulation, rather than a directive, which means it is a single piece of legislation that applies across all EU member states and, as the UK will still be a member of EU in 2018, it therefore applies to the UK. In respect of electronic marketing communications, there are additional rules that come from the Privacy and Electronics Communications Regulations 2003 (“PECR”). PECR rules relate to electronic marketing communications, such as email and SMS. These are in addition to the requirements under GDPR.
PECR treats the use of email for marketing communication differently depending on whether it is sent to “individual subscribers” or “corporate subscribers”. In our business, the communication with corporate subscribers is key and they consist of those working for companies and other incorporated organisations, such as Limited Liability Partnerships. PECR allows electronic direct marketing communications to be sent to corporate subscribers without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). In order to comply with PECR then ensure that each direct marketing email should include an “unsubscribe” option, which is the documented procedure we have in place.
The main thrust of GDPR is the control and processing of personal data, since it is widely accepted that the current rules needed modernising – they were introduced at a time when many of today’s online services and the challenges they bring for data protection did not exist. With social networking sites, cloud computing, location-based services and smart cards, processing of personal data has grown exponentially. We need a robust set of rules to make sure people’s right to personal data protection remains effective in the digital age. Hopefully, the regulation will at the same time be beneficial for the development of the digital economy.
Definition of Personal Data – Article 4 (1) of the Regulation includes elements such as name, address, gender, date of birth but also includes less obvious identifiers such as IP address. Whilst accountability is not a new requirement, GDPR requires all organisations to record and document compliance with all aspects of GDPR. GDPR does give individuals more rights in respect of their data, including more control and visibility of how their personal data is being used, and the right to have that information removed or moved as requested.
There will be heavy sanction for breaches – including fines up to 4% of annual turnover or 20 million Euros, whichever is the higher, for the most serious breaches. To avoid the fines, we have created a template to help guide you through the key actions to ease the strain. To ensure you comply there is a need to identify the key processes, documenting as needed, and ensure you have an audit trail to prove compliance.
Hopefully, our templates will help guide you through these changes.