There has been a huge amount of noise recently in the UK data industry about the GDPR rules and what they mean and how they affect everybody involved. The thing is, all it’s been is talk.
You still need to take direct action to protect your company from the current and new rules and regulations that come in to force. Even though it won’t apply until 25th May 2018, now is the time to prepare. No need to scramble as the deadline approaches.
We don’t want to go over the exact minutiae of how different elements of data capture need to be opted in, but more a broad look at data opt in consent as a whole. Let’s look at some very specific wording from the ICO that should form the basis of where you need to be if you’re operating in the data collection space and need a definite 'opt in' (be that publisher, advertiser, agent of the advertiser, or data broker).
What is valid consent?
- Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
- Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
- Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
- Consent should be obvious and require a positive action to opt in.
- Explicit consent must be expressly confirmed in words, rather than by any other positive action.
- There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Ok, now we have the basis from which all data must be collected if we want to contact a consumer.
Seems simple right..? Wrong.
The problem is, unless you have direct access to the origination point of a consumer’s information how can you reasonably assert that all these valid consent points are being captured? The straight answer is, you can’t.
Let us ask you this - Have you bought leads, or list data from a broker that hasn’t given you the source of the data? If the answer is yes, you’ve got a problem. You’re going to be able to no longer do this, get used to it.
Next question - Do you rely on a supplier giving you information about how data has been collected without actually checking if it has been collected in that way? If the answer is yes, you’ve got a problem. You now need to start checking each origination point of a consumer for the correct opt ins. You might say, well that’s the problem of the company that is collecting the data, they can’t tell me one thing and do another. I agree with you, but the law might not. You have to be proactive about the consent opt ins. You have to be sure. This is now something you can’t leave to chance.
One final question: Do you have ‘old’ definite opted in data lying around that you contact infrequently and on a completely ad-hoc basis? You could be falling foul of the law by doing this. Admittedly, it’s difficult to determine whether you actually are or not as the rule is quite ambiguous. I would suggest contacting the ICO and getting their thoughts.
So, we’ve now identified some key areas that require attention - The question is, what actions can you take to ensure that you remain a compliant and vigilant data purchaser/processor/controller. First we need to quickly check the differences between a Data Controller and a Data Processor:
The ICO say…
“data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
“processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data
Data Controllers – You need to get consent…
‘Consent must specifically cover the controllers name’ - You can now see how important it is for the brand, or advertiser to check the valid consent opt ins for each source of data. It’s not a nice to have, it has to form the basis of data collection for your organisation now, and for the future.
Great!? But how are we going to make sure we are always compliant?
No need to panic.
Use technology to create a virtual trail so you can get the origin of every lead and let it alert you to any changes that happen going forward.
Here at Databowl, we write plans for organisations in all different verticals to ensure that they are GDPR compliant for now and for the future. Here are advantages of using technology to help you stay compliant.
- Using Databowl you can meet and work directly with all the data originators easily
- You can still pass through sources if you are working with data brokers
- With every record you can collect the specific opt in statements
- You can set contracts within the tech that covers the collection process of the data.
- Set alerts to check for wording or opt in changes
- Automatically reject individual data records, or sources that aren't passing through the correct opt in statement
- Gain access to any records in milliseconds if needed for disputes or proof of collection
Using continually updated technology it ensures you will comply with GDPR regulations now and in the future, leaving you to focus on the things that matter to your business.
If you would like a demo, or call on how we can help you, please let us know here: