23.11.2017

Marketing & Creative

GDPR FAQ - all the answers you need

12 min read

Matthew

**This blog was first published in November, 2017 and has been updated in August 2018..

Frequently asked questions in relation to the GDPR

On the 25 May 2018, the most comprehensive reform to data security and privacy in the last 20 years came into effect: the General Data Protection Regulation (GDPR). Designed to harmonise data security and privacy laws across the European Union, the GDPR will transform data acquisition, processing and management as we know it.

And yet, despite the GDPR being in effect, many businesses are still coming to grips with the regulation. American research and technology advisory firm Gartner predicts that, by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements.

The recommendation from many institutional bodies, experts and advisory firms is to act now. But while there is a plethora of information out there on the GDPR, little has been said on what it means for a business’ marketing activity – and how best to prepare.

Therefore, we have compiled a list of the most frequently asked questions in regards to the GDPR and provided a series of answers.

Question One

"The GDPR obviously covers email and email communications - does it also include telephone communication?

What if I buy a list of phone numbers and call each person?"

Before you even start contacting people on a list you have purchased from a third-party, ask yourself this:

“Did the data provider obtain that information consensually – and did the individuals on that list consent to being contacted by parties other than the data provider itself?”

If the answer to both questions – or either of them – is “no”, then you will be breaking the law under the GDPR. Consent must be acquired for each individual action: the data provider must have obtained that information consensually – and the data subjects must have consented to their data being used by parties other than the data provider.

Also, if you record calls it falls under the Data Protection Act (DPA) of 1998 and is classified as a form of data processing. The DPA states that individuals must be informed of how and why their data is being processed – which, in this instance, mean telling the individuals what the call is for or going to be used for. You know when you call into Vodafone, for example, and hear “this call is being recorded for training purposes?” – that’s the DPA working away. The GDPR extends these requirements, asking that businesses demonstrate that the purpose of call recording fulfils any of these six conditions:

  • The people involved in the call have given their consent to be recorded
  • Recording is necessary for the fulfilment of a contract
  • Recording is necessary for the fulfilment of a legal requirement
  • Recording is necessary to protect the interests of one or more participants
  • Recording is in the public interest or necessary for the exercise of official authority
  • Recording is in the legitimate interests of the recorder – unless those interests are overridden by the interests of the participants in the call

In order for calls to be recorded, businesses will need to justify the call recording under one of the six categories highlighted above.

Question Two

"Are these rules or guidelines? What is the difference?"


To be clear, the GDPR is law – and not advisory.

Businesses that process personal data of European Union (EU) citizens, regardless of whether they operate in or outside the EU, must comply with the GDPR. Failure to adhere to the GDPR can result in fines of up to 20 million Euros or 4% of the group’s worldwide turnover (whichever is greater).

Less serious violations such as improper records or failing to notify the relevant authority of a breach can result in fines of 2% of the group’s annual worldwide turnover, or 10 million Euros.

Question Three

"Who will actually issue the fines? Who would you contact to complain about a company? Who will contact you if there has been a breach (i.e. is it a European body)?"

The supervisory authority in each EU country will issue fines in the event of a data breach. Also, complaints regarding businesses should also be lodged with the relevant supervisory authority.

In the UK, this is the Information Commissioner’s Office, headquartered in Wilmslow, Cheshire and also has offices in Scotland, Wales and Northern Ireland.

Question Four

"I’m in the UK and Brexit is coming - why should I bother or worry about it?"

The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

According to the gov.uk website: “The GDPR will have a direct effect on UK law from 25 May 2018. There are derogations (flexibilities) within the GDPR where the UK can exercise discretion over how certain provisions will apply.” Once the UK has left the European Union, however, the legislature will be able to make changes to the GDPR framework as it sees fit.

This means – despite Brexit – the GDPR will apply. Regardless of Brexit, if your business markets to European citizens or operates within the EU, the GDPR will apply! After the initial exit period, the UK will develop further legislation that will largely follow the GDPR, as it provides a clear baseline for UK businesses to continue to market to EU citizens and those in the EU.

Question Five

"The regulation talks about ‘data controllers’ and ‘processors’, what are they?"

In their simplest forms, data controllers are those that determine how data is used and processed. Data processors process data on behalf of a controller.

Here are some examples of data controllers: government bodies, voluntary organisations, hospitals, or even your Internet Service Provider (ISP).

Here are some examples of data processors: accountants, market research companies, surveyors – anyone who processes data on behalf of someone else (an individual or company).

For example, we – as a marketing consultancy – would be a data controller and data processor. We collect personal information from website visitors and website visitors who fill in forms and control that data, as we decide on what to keep and to use in our digital marketing efforts.

We process that data as well. Holding it, organising it, analysing it, adapting it, retrieving it, erasing, combining and much more. It could be as simple as obtaining a new lead via your website and adding that lead’s information into your CRM or editing contact records.

Question Six

"Who is responsible for the data within marketing agencies?"


Simply put, everyone!
Having a clear view of your business’ data across the department is key to ensuring you meet the requirements of the GDPR. Good data governance needs to be driven from the top down (I’m looking at you, C-Suite) and on that basis, starts with the seniors in the business driving it forward.

That said, the GDPR does require that certain businesses, organisations and institutions appoint a DPO (Data Protection Officer) to oversee the business’ data management.

Under the GDPR you must appoint a data protection officer if you:

Are a public authority (except for courts acting in their judicial capacity);
  •  Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
  •  Carry out large-scale processing of special categories of data or data relating to criminal convictions and offices

You may appoint a single data protection officer to act on behalf of a group of companies or public authorities. Any organisation can appoint a DPO, regardless of whether the GDPR requires you to do so.

Question Seven

"What happens if I lose a laptop/company mobile phone/USB that has sensitive data on it – who do I report it to?"

Firstly, you only need to notify the relevant supervisory authority of a breach where it is likely to risk the rights and freedoms of individuals, such as their human rights and freedom of expression, for example. Supervisory authorities differ from country to country, but in the UK, it’s the ICO – the Information Commissioner’s Office – based in Wilmslow, Cheshire, but with offices in Scotland, Wales and Northern Ireland.

For example, if the breach will have a detrimental effect on individuals, resulting in (and the ICO states) discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

For example, if a breach of customer details leaves customers open to identity theft, that must be reported.

Individuals must be notified immediately if it’s a high-risk breach, as well as the relevant supervisory authority. For those in the UK, this means telling the individual and informing the ICO.

Question Eight

"Will data providers now go out of business? Surely they can sell GDPR-compliant data lists?"

Perhaps, but more likely they will have to work harder and therefore costs will increase. Data providers will need to reassess the way in which they build their lists. They will need to obtain consent from each individual on the list so they can compile that information – and they will also need to obtain separate consent from them so they can sell that list to third parties. It’s a lot of work, but it can be done.

Question Nine

"Is double opt-in a guidance or a law? Does GDPR include ‘double opt-in’? I.e. A website visitor said “OK” passively, but do I need to confirm their consent? Surely single consent is enough?"

 

Double opt-in is a guidance, not a law.

In order to comply with GDPR regulations, you have to be able to prove that the individuals that you are contacting have provided affirmative consent for you to do so.

In order to prove affirmative consent, you must be able to show that they have completed an action to say: 'yes, I'm happy with this'. You can no longer have pre-ticked boxes or assume consent based on an individual's inactivity. Also, you must provide opportunities for the individual to opt-out of any communication if they so wish.

Double opt-in, however, is something that requires the individual to provide their consent twice and thus improve your record of consent, but it is not a legal requirement. Double opt-in is simply best practice as it provides no room for error when it comes to being able to prove consent further down the line.

If you are only gaining one stage of affirmative consent, make sure that you are also providing opportunities at every touchpoint for the contact to opt out of communications.

Question Ten

"What about my contact database? Can I still email these people?"

The GDPR states that you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. So, make sure you update your consent mechanisms if needs be!

We hope you have found this GDPR FAQ document to be useful and would be very happy if you were to share it with others through social media. Of course, this is a living document and it will be routinely updated up until the commencement of the GDPR to ensure absolute accuracy.

Question Eleven

"What are the legal/lawful bases for processing?"

Under GDPR, there are six lawful bases/grounds for processing. At least one of these must apply whenever you process personal data (to find out more about personal data, please see ‘What is personal data/information).

No single legal basis is better than another but the legal basis you choose will depend on your business and your requirements.

The six legal bases are as follows:

Consent: the individual – the data subject – has consented to the processing of their data

Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.

Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Public interests: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate interests: processing is necessary for the purpose of the legitimate interested pursued by the controller or by the third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Question Twelve

"What is personal data/personal information?"

Personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Identifiers could be a person’s name, an identification number, location data or online identifier – the ICO outline the different identifiers that could be used to distinguish an individual here.

Question Thirteen

"What is the right to be forgotten?"

The right to be forgotten – also known as the right to erasure – is where individuals have the right for their personal data to be erased completely. Individuals can make a request for erasure verbally or in writing.

Question Fourteen

"What is sensitive personal data?"

Sensitive personal data is special category data consists of information about an individual’s:

  • Race;
  • Ethnic origin
  • Politics;
  • Religion;
  • Trade union membership;
  • Genetics;
  • Biometrics;
  • Health;
  • Sex life; or
  • Sexual orientation

This type of data, according to the ICO, could create more significant risks to a person’s ‘fundamental rights and freedoms’.

Question Fifteen 

"What rights do individuals have under GDPR?"

Under GDPR, individuals have the following rights:


    • The right to be informed
    • The right of access
    • The right to rectification
    • The right to erasure
    • The right to restrict processing
    • The right to data portability
    • The right to object
    • Rights in relation to automate decision making and profiling

Latest Insights

Sales & Revenue

15 min read

Boost lead quality with AI: data-driven lead scoring for B2B growth

In this article, we look at the power of AI in lead scoring and outline best practices for implementing AI in your B2B marketing strategy.

Read more

Websites & Portals

13 min read

12 B2B website trends changing the industry in 2025

What B2B website trends are changing the industry in 2025? What should your website include? Find out more with our blog.

Read more

Service & CX

7 min read

Why you need unified data for effective AI in customer service

Explore how AI for customer service can transform B2B customer retention strategies and drive revenue growth for lasting customer relationships.

Read more

Sales & Revenue

11 min read

The ROI of AI in sales: A numbers-driven look at productivity gains

Explore how AI tools can save sales teams up to 4,000 hours per month, and how AI solutions boost efficiency, quality, and revenue in sales operations.

Read more

Marketing & Creative

7 min read

Transform your business with AI: The SPARK AI Framework from Huble

Explore Huble’s SPARK framework, guiding businesses through AI readiness, strategy, implementation, and continuous improvement for lasting success.

Read more

HubSpot Implementations

18 min read

HubSpot Data Management: 6 strategies for success

This article dives into the central role of data management in maximising CRM potential and best practices for data management in HubSpot.

Read more

HubSpot Implementations

15 min read

How to plan for a successful HubSpot Implementation

Key aspects of planning and managing HubSpot implementation. We'll guide you through every step to ensure a successful HubSpot implementation.

Read more

HubSpot Implementations

13 min read

HubSpot CDP: the future of unified customer data

Unlock the potential of a HubSpot CDP. Discover how to unify customer data for enhanced insights and personalised marketing strategies.

Read more

HubSpot Implementations

12 min read

8 key steps for a successful HubSpot change management strategy

Explore essential steps of HubSpot change management for CRM migration, ensuring a transition that minimises disruption and drives user adoption.

Read more

HubSpot Implementations

10 min read

How to choose a HubSpot partner in Belgium

Explore the key takeaways from DMEXCO 2024, including the importance of customer retention, AI-driven personalisation, and ethical considerations.

Read more