What is GDPR? The General Data Protection Regulation (GDPR) is a legal framework that outlines the principles of data management and rights of individuals whose personal data has been collected. It will supersede the older Data Protection Act of 1990s. It can impose fines that will be revenue based.
GDPR is a an initiative of European Union Council. It is often referred as European Data Protection Regulation (EDPR). It will be by this name that it will eventually be called after its full implementation on 25th May 2018.These reforms have been adopted by European Parliament and European Council on 27th April 2016.
While the GDPR will impact general business environment, it will particularly impact those organizations that use or deliver CRM systems and/or e-mail marketing services . But before we delve into why’s and how, let us understand what are the main principles of GDPR and what are rights of individuals that the GDPR allows.
GDPR- A brief overview:
1)Transparency and Accountability: any business entity in ownership of personal data of individuals need to have a clear and defined objective of why the data has been collected in first place.
2)Consent: the onus of providing proof that an individual has voluntarily offered the information falls on those in possession of the data. Pre ticked web forms or mass emails asking for consent stand illegal.
3)Individual’s right to privacy: you need to be upfront about how will you use this data . If you plan to share the data with any third party, you need to declare it in advance. Data can not be passed on without explicit consent.
4)Individual’s right to be forgotten: you are legally bound to erase all personal information of an individual if he/she so demands. However, you can retain their e-mail to ensure you will not be re-importing their data as a new contact.
5)Individual’s right to access information: any individual can demand to have a copy of their personal data held in your system. Data portability will further allow individuals to obtain their personal data and reuse or transfer to other IT environments.
6)Timeframe for data possession : you can hold the personal data of individuals only for reasonable time frame. By far this is the most debatable area of GDPR regulation and one can assume it will bring many future disputes.
EU General Data Protection Regulation, the UK and the Brexit:
You may wonder how far the GDPR implications work with UK leaving the EU. To be precise, if UK is selling goods or services to individuals in other EU states, it has to have GDPR compliance in account of all names, photos, Email addresses, bank details, social media posts, medical records or computer IP addresses.
However, GDPR comes in effect before UK’s exit date. For the interim period UK will have to comply. Otherwise, UK has its own version of GDPR; the Privacy and Electronic Communications Regulations (PECR). The PECR has an opt out legal perspective. This states that a person can opt out of your mailing list anytime.
Under PECR, gaining an individual’s e-mail address at an exhibition amounts to consent. It is assumed that the individual provided the details because they were interested in your product or service. At this point, we can expect that PECR will be more refined or a UK version of GDPR will be introduced soon the UK leaves the EU officially.
GDPR AND THE CRM:
General Data Protection Regulation GDPR is particularly relevant to users of CRM systems. Such systems can be instrumental to maintain compliance to the new regulation. Your CRM should be configured to collect only the personal data such as name, address or e-mail information that you actually require to carry out promised management services.
Personal Details that are irrelevant to provision of such services should not be stored. Details such as past criminal record, marital status, age or income level should not be stored unless particularly relevant. The crust is that the CRM should save data that answers a defined business need. And it is best that your CRM users are trained and informed about GDPR.
As a business organization, you need to have identifiable sources for where you got the data about your leads or customers. It is imperative that the individuals whose data is being stored are categorically informed that such data is being stored. Their consent needs to be voluntarily and very upfront.
If you are using E-mail marketing, it is necessary that you implement a double opt in for gaining permissions to send email newsletters, offers and promotions. Double opt in ensures that the receiver agrees to voluntarily subscribe to your email marketing messages and he or she confirms that the said email address is there own.
Sending a mass e-mail for receiving consent will be an incompliance to GDPR. The UK based airline, Flybe has been imposed with fines for sending an e-mail to their 3 million mailing list stating they will be sending future emails. Double opt in requires an e-mail that includes an option to subscribe or not. Choosing to be subscribed will automatically update the e-mail in your mailing list.
The most complex area is to ascertain what is the reasonable length of time that the data can be stored for. If for example, a product warranty has expired, the company might no longer need the data. Retaining beyond this time frame may require a solid constructive reason. Similarly, online archiving and backup should be configured to delete n years old record.
The right to information makes you legally bound to inform an individual what information has been stored about him. Clearly, if one of your customers come with a request to change data ; say address, you will have to have a good quality CRM to identify right person and effectively update the data in all places that it is stored in.
A request of change must be treated with confidentiality. And a request of unsubscribe should erase the data from all places immediately. This also implies that you need to ensure data is not duplicated and each individual has only one record in your data. GDPR has stressed the need for good quality data and organised data management.
So if you plan to avoid penalties of 4% of your global turnover or €20 million (these are maximum fines and may be lowered subject to severity of GDPR incompliance) you need to review all users and access rights configurations in your CRM. A good quality CRM will have customized levels of user access with defined limits for who could see the information, change it or delete it.
Certax London uses only reliable and GDPR compliant CRM. We offer customised access levels and roles authorization to ensure a quality data management. We do E-MAIL MARKETING that has the double opt in procedures and is totally compliant to all latest data protection legislation 2018. We offer industry best practices at most competitive prices.
Recent Comments