By now you have probably heard of GDPR, the EU privacy regulation coming into effect in May of this year. If not, you should act now as the clock is ticking and it is likely going to have a significant impact on your organisation. Below we share some brief information on GDPR, how we are preparing and some suggestions on how you can prepare. Please note the information below cannot be considered as legal advice and we encourage you to seek legal counsel to understand how GDPR will affect your particular organisation.
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). If you collect personal data of EU residents, no matter where you are based, you’ll need to comply with GDPR.
What does this mean?
GDPR is aimed at protecting the personal data of individuals. They are granted a number of new rights around the personal data of theirs a business holds:
- Right to rectification – Individuals can ask that their information be updated or corrected.
- Right to be forgotten – Individuals can ask that their information be permanently deleted.
- Right of portability – Individuals can ask to have their information transferred to another organization.
- Right to object – Individuals may seek to prohibit certain uses of their personal data.
- Right of access – Individuals have the right to know what personal data that’s been collected about them and how it’s being used.
Consent & Transparency
We know that to market to individuals we need their consent, but things will become more strict under GDPR. Consent must be affirmative, explicit and verifiable. In other words, they must actively give you consent (ticking a checkbox for example), you must tell users exactly what you will be doing with their data, how it will be used, how long it will be kept for and you must be able to prove that an individual gave you consent. No more pre-ticked checkboxes or catch-all “Agree to our terms” and assuming you can market to them. You cannot rely on a lack of opt-out meaning opt-in. If you decide to do something different with the data you have collected that individuals were not made aware of when giving consent, you will need to seek consent for this. These changes will also apply to all data you currently have unless you have consent to GDPR standards.
Do I really need to bother with this?
Yes! The potential fines could be huge, this isn’t something we advise you ignore or put off.
What are we doing?
At InTouch we have been preparing internally for GDPR for some time. We have been reviewing our internal processes, our data flows and much, much more with our legal team. We are committed to being GDPR compliant ourselves by May 2018. As a customer of ours we will ensure we can abide by the regulations:
- Right to rectification – You can change the personal or company information we hold for you at any time via the Account and Personal Details pages. You can also contact us directly to update your personal information and any data we hold.
- Right to be forgotten – You can cancel your account at any time and we will permanently delete all data from your account and any associated data within 30 days of your request.
- Right of portability – You can export your data from within InTouch.
- Right to object – You can opt out of any marketing, market research etc we carry out at any time, via opt out or by contacting us directly.
We will also be making a number of changes within InTouch in the coming months to help you with becoming compliant. We already have a number of features that help you with requests from your customers:
- Right to rectification – You can update contact information within the Contacts area of InTouch.
- Right to be forgotten – Should you receive a right to be forgotten request you can delete the contact from your account. If one of your contacts comes to us directly we will handle the deletion and let you know.
- Right of portability – If you should receive a request for personal details you hold on a contact you can run a data export and select the row pertaining to the contact. We are working on an export function for an individual contact record.
How you can prepare
- Ensure you understand how to use InTouch to satisfy the various rights set out above. If you have any questions please contact us.
- Be ready to implement changes to any InTouch forms you have on your website when we roll these out. We’ll share with you the changes we’re making and how to implement them as soon as this is ready.
- When we roll out double opt-in for confirming consent seriously consider applying this process.
- Start deleting contacts that you no longer need as GDPR requires you only store data you need and only for as long as you need. If you’ve not done business with an individual in a long time and they have stopped opening or interacting with your marketing you are safer to delete this data. We will be rolling out features and reports that will help you with this in the coming months.
- Seek legal advice to understand how GDPR applies specifically to your organisation. All the information above is provided to help you as a customer of InTouch, but we have only scratched the surface of the changes in law as a result of GDPR.
Feel free to contact us if you have any questions!