(GUEST BLOG BY CHORD UK)
Major reform of EU data protection laws will result in a new EU Data Protection Regulation (EU DPR) being enforceable for UK organisations in the next 12-24 months. The changes will have a huge impact on the way in which all organisations collect and manage personal data.
Explicit consent will be required for personal data collection, data usage and marketing.
€100 million fines + individual compensation claims
Fines of up to €100 million or 5% of annual worldwide turnover (whichever is higher) for non-compliance can be enforced. This will be delivered via a strict enforcement regime, not an education-based, self-regulated approach. The Information Commissioner’s Office (ICO) has already warned that it will be forced to process breach notices and mandatory fines. There will also be a simple process by which individuals can make compensation claims too.
So, all membership marketers should act now.
You’ll need to collect and retain proof of explicit consent for things that you may not have considered before. This includes adding prospects and members to mailing lists and sending them marketing communications. It also includes using your members’ or subscribers’ personal, behavioural, purchase and preference data to tailor your website or send them personalised and relevant emails.
Being able to prove explicit consent for all personal data that you collect, store and use for marketing should be a top priority for membership organisations.
The EU DPR classifies all of these as personal data: full name, job title, work email address, direct telephone number, actions & behaviours as well as computer IP address.
Consent will need to be gained using simple language, not via a pre-filled opt-in boxes or hidden deep in your privacy statement. In order to be able to prove it, you’ll also need to make sure evidence of consent is easy to locate.
How this applies to your existing members
You must also be in a position to prove consent, not just for new members and subscribers but for existing ones too. Because consent is not forever, you should also be in a position to show recent consent, so having a policy in place for refreshing consent regularly is a must.
Business-to-Business (B2B) – opt-in now required
In the new Regulation, no distinction is made between personal data relating to consumers and business contacts. This is new and requires B2B marketers to gain opt-in, not just offer an opt-out. If the information relates to an individual or identifies an individual, processing and marketing need consent.
Third party data
If you use third party data (i.e. purchase or lease marketing lists), you should review all the sources and obtain proof about opt-in status. Only with clear, informed and express opt-in by an individual to your organisation’s communications, can you obtain consent. This would be very difficult for a third party data supplier to offer.
The right to be forgotten
Individuals must be provided with the option to have their data deleted, not just ‘suppressed’. The Regulation makes these rights clearer and more enforceable. If service messages are needed, members should be told in advance, be able to choose the notification method (post, email, SMS, telephone, none) and then have their data deleted after those notifications are complete.
Act now – time is short
Act now to plan how best to gain and prove consent from new and existing members and subscribers – and ensure that you’re ready. You should also review privacy policies, your website and other data collection channels and terms and conditions.
One to two years is not a long time to prepare!
About Chord UK
Chord UK Ltd is a Memberwise Recognised Supplier and delivers high quality member engagement via outsourced telemarketing, direct & digital marketing, data improvement and research, for clients including the British Medical Association (BMA), British Veterinary Association (BVA), Association of Corporate Treasurers (ACT) and techUK (formerly Intellect). Please take a look at Chord’s work with membership clients and how ACT gained consent.