GDPR, the UK and Brexit: The Facts for Marketers
Recently the Direct Marketing Association revealed that a quarter of UK businesses will not be ready to meet the May 2018 deadline for changes to the way they gather, store and use data, as required by the GDPR (General Data Protection Regulation). Most of the worst delayers were branded goods makers.
Marketers appear to be unsure whether the UK’s departure from the European Union will mean it is exempt from the EU’s strict new data protection rules. So, what are the facts:
GDPR will precede the UK’s exit from the EU
Britain’s exit from the EU will take a minimum of two years from the time that Prime Minister Theresa May triggers Article 50, formally notifying the intention to withdraw from Europe. GDPR will become law in the UK in May 2018 – almost a year after the earliest time that Britain could even contemplate being free from the EU. So GDPR is totally relevant to all businesses.
The Great Repeal Bill will make most EU laws become UK law
After Article 50 is triggered all the laws and regulations made whilst the UK was part of the EU will need to be transferred into the UK statute books via the acceptance of a Great Repeal Bill to end the supremacy of EU law in the UK. This will include the GDPR, but the Bill will at its first stage simply make EU laws become UK laws and not directly change them.
The Government and the ICO have confirmed that the UK will follow GDPR
During a parliamentary question and answer session in November 2016, Karen Bradley MP, Minister for Culture, Media and Sport confirmed that the UK will formally opt in to GDPR because it will still be a member of the EU when it comes into force. And last month the head of the ICO, Information Commission, Elizabeth Denham, delivered a speech on GDPR confirming this. She said “I’m a regulator, independent of government – but they’ve made it clear that EU law will remain UK law, until the government sees fit to repeal it.”
What does this mean for marketers and promotions?
In a nutshell GET READY. Remember GDPR applies to all companies – large or small – who handle personal data on EU citizens. Those found to be breaching the rules could face a fine of up to 20 million euros or 4% of their worldwide annual turnover. You can follow the ICO’s useful 12 step guide to preparing for GDPR here. You can also begin by making sure your promotions are compliant with the new rules. Here are some helpful tips:
1. Consent – must be clear and freely given. It must also be specific, informed and unambiguous. Do this by using clear and affirmative actions (eg a tick box) or statements to clarify that the entrant agrees. Do not use pre-ticked boxes that people can claim they did not see or understand.
2. Timing – Consent is not forever. You will need to refresh consent on a regular basis, the timing of which will depend on the buying cycle of your product
3. Cross border promotions – Any promotion targeted at any EU country must follow the GDPR, even if the promoter is not based in the EU or the promotion is ‘in the cloud’.
4. Data – If you are an agency, you should not be touching anyone’s data unless you have a signed Data Processing agreement in place. You may need to update your processes to be compliant With the growing demands of clients.