In just over 400 days from the time we expect you’ll be reading this changes to the governance of data will come into play, potentially leaving any business that has gathered data open to legal challenge. In short, the Data Protection Regulations demand that you have a hard trace of where your data has been obtained. Without a paper trail businesses are vulnerable to legal complaints.
The advice is to prepare now, well I advance of the May 2018 deadline. Those marketing to consumers are thought to be most at risk of falling foul of the new directives, though B2B firms are still advised to check where they stand. With that in mind we very much recommend reading where you stand with the following two links:
DMA’s interpretation of the ePrivacy Directive. https://dma.org.uk/article/worst-eprivacy-b2b-fears-averted
Brexit’s likely impact on the legislation: https://dma.org.uk/article/welcome-to-2017-and-the-future-of-data-protection
And now from the experts; here’s how iBikeShop’s Si Watts has interpreted the latest guidelines:
In summary, all data used for marketing purposes must have traceable permission/consent. It must also have date of permissions listed, as well as the method for seeking permission.
All data collection must be:
- Securely collected
- Securely stored
- Have only minimal access rights within an organisation.
Consent must have been verified (double opt in).
“Implied” consent is no longer satisfactory.
Forced opt-out becomes illegal i.e. any action which would result in a customer being added to a marketing list must be declared at the point of contact AND the customer must explicitly chose to opt in.
Theoretically, unless explicit opt-in is received, data gathered for sales purposes does not qualify. This means you cannot automatically add anyone and everyone who you transact with to your mailing lists, that is unless there is a distinct opt-in mechanism at the point of sale. This includes both OTI and OTC transactions (over the internet and over the counter)
Data subjects have the right to have all data erased. This is a tricky one, since many retailers and systems *may* consider that the customers details are an intrinsic part of the sale data. I’ve not seen any satisfactory explanation as to how this *might* impact on being able to issue recall notices for defective products for example.
Disclaimer: We advise further reading on this topic for anyone with email data. Both CyclingIndustry.News and Si’s pointers here are advisory based on our own thoughts. Consulting an expert is advised.