GDPR has become all too familiar in recent months. And now it’s here – with the 25 May deadline passed, the General Data Protection Regulation is in force.
What does it really mean for Sales teams? How will you need to change the way you deal with client and prospect data?
We round up the latest news and opinion as the new regulation takes effect.
Getting to grips with GDPR
One of the biggest challenges – particularly in the beginning – was a lack of clarity around what exactly the new rules entail.
Some of this confusion was addressed by the Information Commissioners Office – the UK’s representative on the EU’s GDPR Working Party.
Its blogs and publications on the regulation have given useful ‘plain English’ explanations of what’s needed.
Is GDPR really that big a deal?
You’d certainly think so, from the industry of advisers and consultants that sprung up as the deadline date drew closer.
And with some people suggesting that data breaches will be the next PPI scandal it’s no surprise that businesses are taking it seriously.
Consent has been a big focus of compliance with the new rules. Final guidance on seeking and obtaining consent was released by the ICO last month, and set out the changes that are needed to comply.
The guidance contrasts the existing Data Protection Directive definition of consent with the GDPR one:
DP Directive definition:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
You can see that the new definition is more detailed and specific. The ICO also states that ‘this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements…In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.’
Don’t assume it’s all about consent, though
More robust consent is certainly a big feature of the regulation, but it’s a mistake to imagine consent is the only way to comply with the regulation.
There are five other lawful bases for processing data – something that many firms seem to have realised quite late into the process. Even at this stage, if your firm is using consent as the primary focus of your GDPR compliance, it might be worth exploring whether one of the other bases is more appropriate.
In the run up to implementation on May 25, there was a flurry of ‘increasingly frantic messages asking me to opt in’, as BBC News technology correspondent Rory Cellan-Jones noted in an article titled ‘GDPR: the great privacy panic’.
The danger about the consent approach, he says, is that while larger organisations may be acting on ‘expensive legal advice that this was the safe route to take’, smaller businesses may follow their lead, and ‘risk losing contact with customers who could be vital to their future’.
If you’re an SME without the option of expensive legal advice, but want to make sure you’re complying, our tips on how small businesses can overcome the GDPR challenge may be helpful.
25 May marked the start, not the end, of compliance
Elizabeth Denham, the Information Commissioner, responded to a surge of interest in the new rules in the lead up to the implementation date. You can read her useful blog about the updated Data Protection Directive and how it works alongside the new regulation here.
The blog stresses that 25 May didn’t mark the end of GDPR or data protection activity – in fact, quite the opposite.
It’s the start of a new era in communication and data – a changed landscape for sales and marketing. Our previous blogs on how Sales teams can work with their Compliance colleagues to make sure their approach complies and GDPR and sales – all you need to know about the new regulation have helpful tips on how you should adapt to this new landscape.
Working with the new rules
Your approach to business development needs to be compliant if you want to avoid the – potentially significant – penalties that come with GDPR breaches. The ICO’s regular blogs and specific microsite on the new rules are both good sources of information and guidance.
It’s predicted that the new rules might also lead to some changes in sales and marketing approaches – with an increase in social media activity, for instance, to counteract some of the restrictions of the new regulations.
If you decide to increase social media activity as a result of the new regulation, you can find out how to take a compliant approach with our free Twitter for financial promotions guide. It includes tips on writing compelling posts that also measure up to FCA standards. You can download a copy of the free guide here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.