In the UK, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA) with the same law that will apply to all 28 EU member states. The Government have confirmed Brexit will not affect the commencement of the GDPR in the UK.
GDPR was adopted on 27th April 2016 but becomes enforceable law from 25th May 2018 with potential heavy fines for companies that do not comply.
The Six Principles of GDPR
Personal data shall be:
1. Processed lawfully, fairly and transparently
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary for the processing
4. Accurate and kept up to date
5. Kept only for as long as is necessary for processing
6. Processed in a manner that ensures its security
For Contacts to be kept on a Mailing List you need to be able to demonstrate auditable consent. Contacts can also request “the right to be forgotten”.
Register (notify) under the Data Protection Act
Under the current Data Protection Act 1998 (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. With the count down to GDPR the fees that data controllers have to pay the ICO are changing. If you are not already registered with the DPA read more here.
When can I refuse to comply with a request for erasure
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
to exercise the right of freedom of expression and information;to comply with a legal obligation for the performance of a public interest task or exercise of official authority.for public health purposes in the public interest;archiving purposes in the public interest, scientific research historical research or statistical purposes; orthe exercise or defence of legal claims.
Source: ICO Right to erasure
Get Ready
As an agency owner, you will need to ensure you are fully compliant. The transition period gives you plenty of time to prepare. Some practical steps you can take are to understand what personal data you hold, review your 3rd party relationships, document your processing activities and apply technical and organisations measures including your policies and procedures covering data protection, information security and data breaches.
Acquaint & GDPR
Although Acquaint already has Marketing Preference options per Contact, we are adding new functionality in Version 12 to help you adhere to GDPR:
1. Anonymisation of Contacts, the "right to be forgotten" - this function will remove all personal contact details, documents, notes etc. but will leave anonymous transactional data in place if historical reports are required to be produced.
2. Double opt-in of Marketing Preferences - new Contacts will be required to confirm their marketing preferences (Telephone, Email and Post). It is also possible to bulk send these confirmations to existing contacts. For example you may want to re-confirm the Marketing Preferences for everyone in your database.
3. Registration emails from portals - when importing registration emails Contacts will still be automatically added but their marketing preferences will be turned off/opted-out by default. These contacts can then be subsequently sent an opt-in email.
When Can I Get Acquaint Version 12
We aim to release Version 12 at the start of December 2017.
Additional Reading
https://ico.org.uk/for-organisations/data-protection-reform/