Guest blog provided by William Smith, Business Continuity Consultant.

The Business Continuity Institute (BCI) has highlighted that among the top ten perceived threats to all businesses and organisations are those from Cyber Attacks, Data Breaches and also New Laws or Regulations. The BCI Horizon Scan report states that “Data protection is a growing concern for businesses…there has been an increase in the number of both large and small organizations experiencing IS breaches, with a staggering 90% of large organizations and 74% of small firms suffering a breach in the last 12 months. These findings clearly suggest that being subject to a breach is no longer an ‘if’ proposition but ‘when’.”[1]  Readers may be already aware that there are many headline stories in current circulation about data hacking and the misuse of marketing and customer data. Organisations that fail to adopt high data protection standards are therefore often viewed with suspicion and, in the event of an incident, could very well suffer severe reputational damage.europe-2021308_1280 (1)

In May 2018 the new General Data Protection Regulation (GDPR) from the European Union will come into force and will apply to the UK as the country will not be due to leave the EU until around March 2019. However, the Government have already stated that the UK’s Data Protection regulations will continue to fully comply with GDPR even following Brexit. Should you fail to comply with GDPR you could well find yourself under investigation by the Information Commissioner’s Office (ICO)[2], who if they discover a breach can currently impose a maximum penalty of £500,000 on companies that fail to adequately protect their customers’ information. Under GDPR, if an organisation is found to be in serious breach of the regulations – be it from a cyber-attack or human error – the penalties increase in severity and you could be fined of up to €20M (around £17 million at the current exchange rate) or 4% of your turnover, whichever is larger.

GDPR has been designed with the objective that organisations will be better able to manage, protect and administer their data – including marketing data. GDPR will apply to all organisations and this means compliance with its requirements no matter what the size of your company or the number of employees who work for you.

GDPR rules about data security will affect both your existing and future customers and the way in which you process their data. Although the need for “opt-in consent” to send marketing messages will probably apply mainly to future customers, should that customer subsequently buy a product from one part of your firm you should be aware that it will not necessarily mean you have their consent to send them any marketing material from another part of your business. However to be on the safe side and ensure compliance with the regulation marketing consent will, for the most part, need to be sought on an “opt-in” basis. Marketing consent must therefore be unambiguous and made very clear to clients what information they are agreeing to receive from you as either marketers or a company’s marketing department. In other words, Marketing Consent must be the result of a positive action and the agreement of those individuals being targeted.

GDPR will apply to both Business to Business (B2B) marketing and Business to Consumer (B2C) marketing as GDPR makes no distinction with regard to the use of personal data. Such items of data will include not only an individual’s personal information but also such things as their workplace email addresses, workplace direct dial numbers, a person’s name, job title and even their workplace postal address.

In B2B and B2C telemarketing, organisations will still be required to ensure that the telephone numbers held within their CRM databases are checked against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers. It is worth noting that TPS is not just for individual consumers but also applies to prospects such as sole traders and partnerships many of whom may have opted out of receiving marketing material by being included in either of the TPS registers; this information could also include their personal mobile telephone numbers.

The ‘Right to be Forgotten’ / ‘Right to Erasure’ enables individuals to request the removal of their data from your CRM database in certain circumstances. However, under GDPR you do not have to delete that personal information if you need it for accounting, tax or other regulatory purposes. It is worth noting that if data is not deleted from your systems that you could run the risk of mistakenly sending an individual unsolicited marketing materials in the future which could possibly constitute a breach.

Under GDPR the automated processing on personal data (which is also known as profiling) allows individuals the right to opt-out of direct marketing.  However, it should be noted that the individual cannot opt-out if holding their data is required with regard to a contract between them and your firm.

If your business involves the ‘regular and systematic monitoring of data subjects on a large scale[3] then the chances are you will need someone in the role of the Data Protection Officer (DPO). This has nothing to do with how many people are employed in the firm but on the amount of data held. Many marketing and other organisations, even if physically small in size, will hold large amounts of personal and other data on their prospects and existing customers. Whoever you appoint as the DPO, be it an existing member of staff or an outside consultant, must have “expert knowledge of data protection law and practices”[4]. This is vital as they will be responsible for GDPR compliance, advising the firm with regard to its obligations and be able to act as the contact point for enquiries from the ICO or to handle requests for information from individuals as to what data you hold on them.

GDPR will also apply to any country that wants to sell to EU citizens and this will include firms from trading countries such as the China, India, Australia, the USA, and (when Brexit is completed) the UK. Therefore UK companies, in order to be able to operate and compete with other foreign firms, will still have to fully comply with the requirements of GDPR. The regulation will also apply if the data you hold includes any information about EU citizens or any other EU based trading arrangement. Data Protection will, therefore, still be a large and important part of any customer and marketing relationships.

[1] Business Continuity Institute Horizon Scan Survey 2017


[3] ‘Guidelines on Data Protection Officers’: Article 29 Working Party- European Commission

[4] ‘Guidelines on Data Protection Officers’: Article 29 Working Party- European Commission

View our blog archive to see more great articles like this one.