WHAT IS GDPR?
The GDPR comes into force on 25th May 2018. It is not a brand-new regulation, but a necessary evolution to the existing Data Protection Act. It is intended to extend additional protection for individuals and their data, providing greater transparency and control over where their data is saved and used. The ICO is working hard to produce guidance on what the new law means for organisations, and how they can become compliant. It warns that while its final guidance is compiled, no organisation should think that because the UK is leaving the EU, they do not need to plan for compliance.
The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. The Information Commissioner, Elizabeth Denham, has acknowledged that there “may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.” What should also be acknowledged is the global nature of the GDPR. All EU member states will implement the GDPR and certain obligations (such as in relation to international data transfers) apply when working across borders. Furthermore, countries outside of Europe may need to comply with relevant aspects of the GDPR when trading with European countries so, from a certain point of view, the GDPR can be considered a law with implications worldwide.
GDPR APPLIES TO
According to the GDPR, the GDPR applies to “personal data”, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems in which personal data is accessible. This could include chronologically ordered sets of manual records containing personal data.
THE INFORMATION COMMISSIONER’S STANCE
Fines under the current Data Protection Act are up to £500,000, but under the GDPR, these are set to increase to a maximum of 4 per cent of group annual global turnover, or €20 million, whichever is greater. The Information Commissioner has gone so far as to blog to set the record straight on fines and put minds at rest. Focus should be on compliance, not speculating about fines. This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million, or 4 per cent of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements, or that maximum fines will become the norm… …The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick… …Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment. And just look at our record: Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned… …And we have yet to invoke our maximum powers… …Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow… …And you can’t insure against that.
DIRECT MAIL OPPORTUNITIES
- You will not need consent for Direct Mail, if you meet the conditions for legitimate interest you will not require consent for postal marketing, however for e-mail & SMS marketing you will more than likely need consent.
- It is proven that Direct Mail pieces receive a higher response rate than e-mail, the consumer also feels a more human approach to marketing when receiving mail through the door as opposed to an unsolicited e-mail.
- Direct Mail is much more targeted in the current era & the consumer has often either purchased or shown an interest in the Marketeer’s product, this is produced without the need for holding personal data other than Name, address, postcode.
- Keep Your Data clean, we use software to ensure that your data is accurate, we can offer a service advising on deceased & mover records, this in turn makes for a more professional & successful mailing.