The GDPR comes into effect on May 25th 2018 – but how do you navigate the confusing jargon? Here’s our handy GDPR jargon buster to help clarify the legislation and help you prepare for the new data regulations.
What Is The GDPR?
The EU General Data Protection Regulations (GDPR) update current data protection directives. This is because older versions of data protection legislation do not cater for modern technologies, such as IP addresses and mobile devices.
The GDPR now classifies information such as mobile devices (especially location and other identifying factors), IP address, and cookies that track identifiable data as ‘personal data’.
The regulation also means companies are required to clarify how, why, and when they are going to use personal data. For example, no longer is a ‘soft opt-in’ acceptable: you can’t put a ready-ticked box on a competition entry that gives you permission to contact an individual for marketing purposes. This box must be specifically ticked – which constitutes explicit consent – in order to be GDPR compliant.
What Is Explicit Consent?
Individuals must provide businesses with explicit consent to use their data in certain ways. For example, a person may state they wish to be contacted about marketing offers by email, but not by telephone.
If a business then contacts the person by telephone, they are breaking the new regulations and face hefty fines.
Explicit consent must be given in a way that determines how data can be used. An individual may sign up to receive a newsletter for blog updates, for example, but this email address cannot then be added to a marketing email list without explicit consent from the individual.
Consent may be obtained using a tick box option, or a double opt-in system for emails. However you choose to obtain consent, records must be kept.
What Is An Opt-Out?
You must give individuals the right to access any information you hold on them at any time, and they must be able to change their preferences at any time.
For example, if somebody once signed up to your email newsletters, you must now allow them a way to access their account with you to stop marketing emails if they wish to no longer receive them.
What Is The Right To Be Forgotten?
An individual has the right to request their personal data to be removed from all records held by a business.
This request must be actioned immediately upon receipt.
There are some exceptions, however: if financial transactions exist between a business and the individual, these transactions must be kept on file. They should, however, be archived and transferred to a protected file which can be accessed by limited members of staff.
The other exceptions include: where data is used for a right to freedom of expression, to comply with a legal authority or public interest, historical research, or in the exercise or defence of legal claims. For a more comprehensive list of these exceptions, visit the ICO website here.
What Is Sensitive Personal Data For The GDPR?
The GDPR makes a distinction between ‘personal data’ and ‘sensitive personal data’.
For the purposes of understanding how you should process your customer data, ‘sensitive personal data’ is any biometric or genetic information held by customers. It may also cover sensitive data in relation to children.
All other personal data is classed as anything that could be used to identify an individual. This could be everything from a name, gender, phone number, IP address, or buying habits.
Can I Use Buying Behaviour For ‘Recommended Purchases’ On My Website?
While the GDPR classifies buying behaviour as personal data, there are ways it can be used. This is thanks to the ‘legitimate interest’ clause, explored in more detail below.
What Is ‘Legitimate Interest’ For The GDPR?
You are allowed to use customer data without consent if it is considered a ‘legitimate interest’.
This means you can, for example, send out a direct mail campaign to customers even if you have never done so in the past. As long as you state in your campaign why you are contacting them (for example, they are previous customers), and provide an opportunity for them to opt out, you may send them mail.
You must only use the legitimate interest clause if there is no alternative way to conduct your activity which will have less impact on the individual. For example, if you want to use personal data to inform recommended products decisions, this could be done using anonymised data and therefore may not require personal data to be used.
What Is Anonymised Data For The GDPR?
Data which has been encrypted or scrambled to the point where one specific individual may not be identifiable from the data batch is anonymised.
For example, you may use customer data to inform marketing reports without needing to identify a particular individual. You may group data into sectors, such as demographic, age, gender, etc., which does not follow the course of one individual customer.
Does The GDPR Apply If I Want To Send An Invoice?
The GDPR is only applicable to marketing activities. Therefore, if you have existing customers to whom you need to send invoices, receipts, or information regarding their account, you may contact them.
If they have opted out of marketing activities, you can only contact them about transactions and account information.
Remember: This blog has been prepared by instantprint as a condensed summary of GDPR and not as a full comprehensive review. We advise all readers to undertake their own further reading and research into GDPR, including a review of the GDPR guidance set out on the Information Commissioner’s Office’s website.