Much has been made and said of GDPR in terms of how it is going to affect businesses and their ability to market to clients and customers. There has also been some confusion as to what it means for us, so our data expert Ed has taken a look at some of the most relevant principles of the Regulation as it looms closer and how we will or won't be affected.
General Data Protection Regulations (GDPR) and CANDDi
Cast your mind back to 1998 when the Data Protection Act coming into force. Celine Dion was in the charts, Titanic had broken all cinema records and Glenn Hoddle’s England side had just been knocked out of the World Cup to Argentina on penalties.
Fast forward 19 years and a lot has changed in the world - An English side have even won a penalty shoot out! (Hockey, Olympics!)
When Tim Berners-Lee invented the World Wide Web in 1990 he could never have dreamed even a fraction of what is possible today.
The take up of ‘wearable tech’, drones, super-fast fibre internet, robotics and artificial intelligence were not even distant dreams when the 1998 legislation was written. It has been long overdue an overhaul and this has come in the form of European legislation and is called General Data Protection Regulation (GDPR).
Despite Britain voting to leave the European Union GDPR is here to stay. 25th May 2018 is the date that it’s set for to come into force. In short, even after Britain leaves the EU, we will have to comply with GDPR to continue to trade with any Member State. It’s coming whether you like it or not!
The key principle in the legislation is with regards to the processing of ‘personal data’. These two words have been defined as “any information relating to an identified or identifiable natural person”. This extends to name, identification number, unique online identifiers amongst many more ways to identify an individual!
It has long been a talking point as to if ‘personalised’ business data (e.g. email@example.com) will become subject to the same legislative standards as true ‘personal’ data (i.e. consumer data). The question here being; is personalised business data covered under personal data or treated as a distinct concept? i.e. business data.
Extensive discussions are also still being had over the interpretation of the legislation on a further concept called ‘legitimate interest’ which will be discussed in more detail below.
What is clear is that GDPR cannot be ignored.
With regards to CANDDi, and where we fit, there are 3 main areas to consider:
Where does CANDDi sit in terms of data governance?
At this junction we should make a distinction between ‘data processors* and ‘data controllers’**. As a company, Campaign and Digital Intelligence Limited, (The Company) are data processors. The decision for Campaign and Digital Intelligence Limited to be a data processor means that all data stored within a CANDDi client account is that clients data alone. It is not shared between accounts, nor does The Company take ownership of it, therefore it is the client that is the data controller.
To set the scene, on its most basic level CANDDi links together online activity (via cookies) with the business identities of the individuals that perform this activity.
The UK Direct Marketing Association in conjunction with the Information Commissioner’s Office has looked to clarify in recent months certain areas of direct / digital marketing and how GDPR is set to affect this.
One area that has caused confusion is in the practice of cookie syncing and the linking of data to this for digital marketing purposes. Under the proposed rules this would not be permitted without explicit consent from the ‘data subject’ for this purpose. This explicit consent would be twofold:
- Consent for cookie tracking
- Explicit consent i.e. opt-in for the data element and for that purpose
Historically this would have been possible and permitted through linking in to third-party data sources or via an opt-out or tacit/ soft opt-in policy.
The above is however not 100% reflective of how CANDDi works nor what CANDDi seeks to achieve.
CANDDi does not ‘magic’ data out of the ether and, as processors of data, the software isn’t reliant on third party sources that may fall foul of the new regulations. (i.e. cookie syncing with third-party sources for digital marketing purposes.)
Therefore when considering this element of the legislation; although related to the technology of the software, CANDDi is not affected by these changes.
Do I therefore have to put Opt-In statements & boxes on my forms?
One principle worth note is the “Legitimate Interest”*** principle. This is an area of the legislation that again has been open to interpretation. In simple terms the GDPR acknowledges that companies may have a legitimate interest in direct marketing activities. This therefore means it would be reasonable for customers/ prospects/ enquirers to expect a business to attempt to promote its products. This is assuming the data subject has not previously stated they do not wish to receive marketing communication from that business.
In principle, no strict changes to a formalised opt-in policy would be required for B2B communications for new and existing customer/ prospects/ enquirers.
Similarly under ‘grandfather rights’ type legislation data that was compliant under the DPA is set to still be compliant under the GDPR new e-privacy directive. This would therefore mean that any information contained within CANDDi accounts or existing CRMs would not be required to be discarded in May 2018 and can continue to be used.
In summary; the legislative changes whilst in certain instances may become a significant burden, on some business it is unlikely to affect the functionality of CANDDi, the basic principle of why it exists and how the technology works.
The status of The Company as a data processor means that data sharing does not occur and therefore one of the main practices the GDPR legislation seeks to remove is not applicable to CANDDi.
*Data processor - “An entity which processes personal data on behalf of a data controller” **Data controller - “An entity which, alone or jointly with others, determines the purposes and means of the processing of personal data”. ***Legitimate interest - “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”