We're here to help you make sure you are ready for GDPR. We'll continue to add resources including information on the upcoming regulatory changes that will start to be enforced in May 2018. We'll be covering how GDPR will impact B2B CRM customers and steps you can take to be compliant.
We'll start with Information Commissioners Office (ICO) that have provided a valuable, updated resource on GDPR. It covers who it applies to, what the principles of the regulation are, the rights of individuals and more.
You could be fined 20 Million Euros or 4% of annual global turnover (whichever is higher) if you do not comply with the new regulation.
Likely. If you are a company that process personal data of individuals in the EU then you will fall under the regulation.
You must obtain personal data through a clear consent procedure.
When an individual citizen wishes to have their data removed, the data controller must take appropriate steps to inform appropriate parties in the organisation about the erasure. However, unsubscribing or opting-out from marketing communications is different from the right to be forgotten. If an individual doesn’t want to receive direct marketing communications, the organisation should retain their personal data for as long as necessary in an ‘unsubscribe’ file and all people within your organisation should be aware.
Organisations will be able to retain customer information and be able to contact them about safety or product recall concerns even if that customer has exercised the right to be forgotten.
The right to data portability only applies where the data processing is based on content, carried out by automatic means and the data subject has provided the information. In practice, it will only apply to cases where the customer switches providers, such as social media services or utilities.
Individuals have the right to obtain the personal data held about them free of charge the first time. For any further copies, organisations can charge a ‘reasonable fee’. Organisations are also within their right to refuse to answer a subject access request if it is malicious in nature.
This principle is a storage limitation principle in the new regulation. ICO has produced guidance on the current principle here. How frequently would you suggest consumer consent should be refreshed, if at all? You do have to offer subjects the opportunity to opt out, but not necessarily refreshing consent. Will digital tracking techniques need to be more transparent now? Clarity and transparency of consent are a highlight of the new regulation. This includes digital data such as cookies.
A small difference will be made. This is because B2B data can be viewed as personal data as it identifies an individual, i.e. a business email or phone number that relates to an individual is considered personal data. B2B contacts will be treated in the same way as B2C when personal data is involved.