News

20 September 2017 Christine

How will the GDPR affect membership organisations in the UK & beyond?

You’re probably aware by now that a huge change to the UK’s Data Protection Laws will be implemented on the 25th of May 2018 in the form of the General Data Protection Regulation (GDPR). This change will affect the way all B2C and B2B marketers are allowed to store, process and use data and membership associations will be no different. It's therefore vital to be in the know and prepared for when the time comes.

What is the Data Protection Act (DPA)?

Let’s start at the beginning. The DPA passed in 2000 in response to the 1995 Data Protection Directive (DPD), created when internet marketing was in its infancy. The DPA is the UK’s law based upon the Europe-wide DPD. In the words of its authors the DPA is:

“An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

[16th July 1998]”

The DPD has remained relatively unchanged for more than 20 years – though regulations and specifications have been added along the way – and next spring’s change will introduce the GDPR, which will replace the DPD. A new Act will then follow within 12 months of the GDPR to replace the DPA.

What is the GDPR?

The GDPR is a regulation drawn up by the European Parliament, the Council of the European Union and the European Commission to give citizens more control over how their data is used online. The GDPR will change the way businesses conduct their marketing and applies if the data controller (organisation that collects data from EU residents) or processor (organisation that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU.

Here is a checklist to test exactly how prepared you are for the GDPR, as well as telling you what you need to do to prepare.

What data is protected under the GDPR?

According to the European Commission "personal data is any information relating to an individual, whether it relates to her or his private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

Consent or legitimate interest

As the ICO puts it here, “consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.” If you’re collecting consent for the purpose of marketing, “[a positive opt-in] must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.” For B2B marketing, if content is about products and/or services that are relevant to the recipients’ job role, it can be marketed on an opt-out basis without consent as long as the method of opting out is clearly defined. This is only when marketing to corporates; limited companies, LLPs, partnerships in Scotland and government departments. If marketing to sole traders or partnerships B2C rules apply, and opt-in consent must be obtained.

Consent doesn't last forever, and this time factor depends on the circumstance and context in which consent was obtained.  If the circumstances have changed or the context is no longer relevant, then the recipient may no longer wish, nor expect, to receive further marketing communications from you. For example, if a member had given consent to receive emails about an event 8 months away, they will expect to receive emails about the event up until the event date. After the event has happened, it will become harder for you to rely on the original consent as time passes.  Or, in the case of annual memberships, it would be okay to email members about an approaching renewal window. But it would not be okay to email them the following year if they failed to renew or give any other indication that they wish to continue to receive your emails. Equally, if they at any point expressed a desire to unsubscribe from your emails then you should at no point send them any more emails.

‘Legitimate interest’ is a much debated subject (see paragraph 47). Once marketers have received a subject’s consent to process their data, they may use other personal data such as the subject’s purchase history or location to tailor their marketing as long as they can prove it’s of ‘legitimate interest’ to the subject.

What happens if I don’t comply with the GDPR?

“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

According to Article 83 paragraphs 4 and 5 of the GDPA the following sanctions can be imposed:

  • a warning in writing in cases of first and non-intentional non-compliance
  • regular periodic data protection audits
  • a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
  • a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater depending on severity

How will Brexit affect the GDPR?

Just a few weeks ago the European Commission released newly drawn up position papers on how Brexit will affect GDPR. This move came shortly after the UK government itself issued their position papers on the subject. The bottom line is the UK government has agreed to wholly comply with the EU data protection law, stating, “At the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework.”

This will mean that EU data protection law will become UK law in order to maintain the free flow in data. Brexit shouldn’t affect the GDPR and changes to the DPA in the future as far as we currently know.

What should I do now?

To ensure you comply with the GDPR, there might be a few things you must do. When a member joins your organisation, you must make what you are using their data for explicit and ask them for their consent to process (use) data and use it to market to them. The issue of consent is an important one when implementing the new regulations, and whether your marketing is B2B or B2C changes how the GDPR will affect you. Valid consent must be explicit for data collected and what the data is used for must be known by the subject. Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn at any time. 

When a member joins your organisation you can ask for their consent to sign up to email marketing and state what that will entail - for example renewals, events, discounts and offers, refer a friend – and tell them that they are free to update their preferences within their member area or profile. If you’re one of our clients using RiverCRM then you’re lucky! We’ve equipped our software with features which will make it easy for you to ensure you’re complying with GDPR. If you have any questions on this please feel free to contact your account manager.

You also must remember that this consent doesn't last forever. The best practice is, if you are relying on consent that is six months or older you should check if the original consent is still valid. The question you should be asking is whether it is still reasonable to treat it as an ongoing indication of the person’s current wishes to receive your marketing communications.

The best step to take from here is to ensure you’re reading up about the DPA, the GDPR and everything surrounding it so you can go into 2018 equipped with knowledge and a solid plan.

 

Please do take some time out to thoroughly read all the links provided within this article, as the potential cost of non-compliance is not worth the risk and a lack of knowledge on the subject is not an excuse. It’s also very important to remember that these rules may continue to change and evolve up until the GDPR takes effect, so below are some integral places to go to keep informed:

GOV.UK

European Union

UK Government legislation

Information Commissioner’s Office

General Data Protection Regulation text

View more like this: What is "consent" and "legitimate interest" in relation to the GDPR?

Want to receive monthly articles and updates containing advice and inspiration for the membership, nonprofit and charity community? Why not subscribe to Senior's mailing list?

In case you missed it...