Does your business have an email marketing list? The laws that surround how businesses can use and store data are about to change and there are big penalties for those who fail to comply, so it’s time to read up!

The General Data Protection Regulation (GDPR) will replace the outgoing Data Protection Act 1998. It brings data protection legislation up-to-date and aims to be a worthy companion for the new and previously unforeseen ways data is used in the digital age. The GDPR will apply in the UK from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The GDPR’s definition of personal data has a more detailed and expansive definition than the current Data Protection Act and makes it clear that information such as an online identifier (eg an IP address) can be personal data. This reflects changes in technology and the way organisations collect information about people.

How will GDPR impact my business?

The Information Commissioner’s Office (IOC), has published draft consent guidance which lists seven changes to the way businesses must collect, handle and store data under the GDPR. Stored data must be:

1. UNBUNDLED. Consent should be sought separately from other terms and conditions, in order for individuals to see clearly what they’re signing up to.
2. ACTIVE OPT-IN. Under GDPR legislation, pre-ticked opt-in boxes are not a valid form of consent.
3. GRANULAR.  If personal data is to be used in a number of ways, the ICO recommends that organisations ask for separate consent to each, to give the data owner as much control as possible over how their data is used.
4. NAMED. Data owners should always be informed of who the organisation is and, likewise, the names of any third parties with whom the data will be shared.
5. DOCUMENTED. Consent must be fully recorded and contain what the individual has consented to, the method of consent and what they were told at the time.
6. EASY TO WITHDRAW. Data owners should always be able to withdraw their consent and be able to do so via a simple, fast method.
7. FREELY GIVEN. Consent must be freely given (not forced) by individuals.

What happens if I don’t comply?

One of the most significant additions to the GDPR is the accountability principle. The GDPR requires you to show how you comply with the principles. This is explained in greater detail in this guide.

Failure to comply with GDPR legislation could result in a hefty fine. The GDPR states that companies in breach of the rules will be fined 4% of turnover, or €20 million, whichever is greater. Individuals can also bring about their own lawsuits and make compensations claims in the event of a data breach.

So, if you don’t want to risk brand damage and a big hole in the company finances, it’s definitely worth abiding by GDPR.

All in all, although the changes are likely to reduce the number of individuals on your business’ email marketing list, there is no doubt that the people who are left on your list will be active, interested followers. With GDPR in mind, we’ll be asking you over the next few weeks to opt back into our weekly tips and tricks newsletter, to make absolutely sure we comply with the new regulations. To continue getting our enewsletter please sign up here.