Back to Knowledge Base

How will GDPR affect your customer communications?

How will GDPR affect your customer communications?

From May 2018, all organisations that handle personal data will be obliged to comply with the General Data Protection Regulation (GDPR). So what does this mean for your business, and how much work is involved to stay on the right side of the law?

Before we look at some of the details of this regulation, it’s worth mentioning how and why this legislation came about. Currently, UK data is regulated in accordance with the Data Protection Act, but in the EU, legislation varies, having been created in response to an EU directive.

This means that there are no consistent rules for data protection across Europe, making life more complicated for consumers, businesses and data processors alike. The GDPR is designed to create consistency across Europe, while also expanding protections and rights for individuals.

Inevitably, these expanded rights for individuals mean that organisations must review their data protection policies and potentially adapt to ensure they remain compliant. Let’s explore some of the key changes coming in 2018.

Read a summary of GDPR advice from the ICO

Individual’s rights under GDPR

When it comes to rights, GDPR expands the protections contained in the Data Protection Act. Specifically, the regulation codifies individuals’ rights to:

  • Be informed
  • Have access to their data
  • Rectify data errors
  • Have their data erased
  • Restrict processing of their data
  • Move their data
  • Object to the storing and processing of their data
  • Object to automated decision making and profiling based on their data

Consent

Consent is a significant component of GDPR, and one element that might create work for organisations that capture, store and process data. From May 2018 you will need to keep evidence of consent being given. Consent must also be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. It’s not acceptable to capture data for one purpose and then use it for another. For example, if a person gives you their email address so they can receive your newsletter, you can’t also send them marketing emails.

Privacy policies

You must communicate your data protection and privacy policies with customers and users, making it clear what information you keep, how you process it and who you share it with. You may have an existing privacy policy, but does it meet the expanded protections of GDPR?

Records

Becoming GDPR compliant may start with a data audit so that you can explore what information you hold, how you obtained it, who you share it with and how you process it. You will need to document all of this, along with records of how and when consent was given. In some cases, organisations may need to request consent when no records can be found. Some commentators have suggested that screengrabs of online forms would be useful evidence of consent – but of course this is likely to create additional work while adding complexity to online systems.

Processing data

If you process individuals’ data, you will need to document how you process their information, and obtain consent for the processing. For example, organisations cannot use customer data to profile them for marketing campaigns, without obtaining permission first. Individuals have the right to refuse permission. As a data processor, or as a data owner that directs the processing, you are also obliged to identify the lawful basis for your data processing. Examples of lawful bases are:

  • Consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Data protection

Can you confidently explain how you securely capture, store and process data? How do you detect, prevent and report data breaches? Are your systems, processes and user training adequate to protect data?

Subject access

Individuals have the right to access the data you hold about them. Do you currently have the facilities to handle these requests – and a process for serving them?

Data Protection Officer

The ICO recommends that all organisations appoint a Data Protection Officer, although for organisations with fewer than 250 employees, it is widely accepted that this role may be taken on by an employee with other duties.

Privacy by Design and Protection Impact Assessments

Under GDPR, organisations are encouraged to make data protection a priority, and something that happens by default. Rather than creating new products or marketing initiatives, and then wondering how they impact on data protection, organisations should begin to view privacy as a central component of all activity, thus ensuring that data is protected by default, thus reducing the chances of data breeches and unauthorised data use.

Implementing GDPR at DocCentrics

As a provider of a customer communication management platform, our business depends on the safe and lawful use of customer data, so it was imperative that we understand the implications of GDPR, both for ourselves and for our clients. Here are a few of the key changes we made in response to GDPR:

  • Expanded our considerations of data risks from the compliance team to the project office
  • Updated contractual terms and conditions to redefine responsibilities and liabilities in relation to personal data. The result is clearer rules for managing personal data and clearer definitions of each party's accountability
  • Introduced new technical measures to ensure security matched the data risk. By monitoring trends in user/system activity we are now better positioned to identify anomalies in human/machine behaviour and detect unauthorised actions which may be linked to a data breach.

Get advice on GDPR

As you can see, GDPR is likely to push many organisations to change – or at least update – the way they capture, store and process data. The regulation creates new rights for individuals and obligations for organisations.

We hope you’ve found this summary useful, but we recommend you check the ICO website for more detailed guidance, or speak to a data protection professional for advice.