Like many organisations across the UK and Europe, we are getting ourselves ready for the arrival of the new GDPR legalisation in May 2018, so we thought it would be helpful to share our thoughts.
Let’s start with a bit of background:
GDPR or the General Data Protection Regulations to give it its full title, is a new legal framework which comes into force across Europe on the 25th of May next year. The general themes of GDPR are to improve the protection of individual’s personal data, to harmonise the laws across the European Union and to strengthen the legalisation imposing more obligations and potentially higher fines on Data Controllers and Data Processors.
Just to confuse matters, there is also another set of legalisation on the horizon which overlaps with GDPR, which is the ePrivacy regulation from the European Union (also known as the Cookie Directive). The ePrivacy regulation is set to become law on the same day as GDPR and it covers areas such as the use of email marketing, cookies, marketing telephone calls, etc. The ePrivacy Directive will replace the existing Privacy and Electronic Communications Regulations (PECR) here in the UK. However the ePrivacy regulations are still in draft form, so there is the potential for these dates to change.
If you want some light reading on these topics I would recommend the following:
- The Information Commissioner’s Office (ICO) in the UK are the body that will enforce these laws and they provide good guidance on both GDPR and PECR
- Linklaters have a useful blog on the ePrivacy regulation
Let’s start by stating our position on these topics:
- Our organisation already has strong processes and procedures in place to protect all data, including personal data. However, we will be reviewing these to ensure we will meet our obligations under the new legalisation by May 2018.
- We will be updating our terms of service (the terms under which our clients use our cloud services) to reflect the requirements of the legislation. These new terms of service will be effective for all clients and we anticipate having these in place in early 2018, before the deadline.
- We will be adding some new functionality to the Workbooks platform to help clients address some of their obligations by the end of 2017.
And now let’s add some colour to that…
In our view, the changes for GDPR are sufficient enough to warrant a complete review of the way you store and protect personal data. Unfortunately, you just can’t ignore it.
Our existing terms of service will need an update and we will make it clear that Workbooks will step up to our obligations under GDPR, so if you are a client of ours and you are reviewing your suppliers, you can be certain we will have new terms well before the deadline hits.
Having reviewed some of the requirements of GDPR, we have been thinking: “How can we make this easier for ourselves and our clients?” We believe one way is to add additional functionality into Workbooks CRM to help organisations meet some of their obligations.
For clarity, using Workbooks products won’t make you ‘GDPR compliant’, but by managing personal data inside our platform, we believe we can make it much easier to comply with the rules.
At the core of our product improvements will be a new record called a ‘Compliance Record’. This record will be connected to People and Leads in Workbooks (where you typically store personal data) and will allow you to record any evidence on what legal grounds you are processing personal data.
So, if for example you are processing personal data on the grounds of ‘Consent’ (one of the six legal grounds) you can record that fact against the person or lead and evidence how you captured consent (e.g. screenshot, or consent statement), when and how long the consent is considered valid for (ie when you would need to capture consent again).
The Compliance Record can be used to record any legal grounds for processing data, not just consent. It’s highly likely that for many organisations, there will be contractual obligations and legitimate interest grounds (two more of the six legal grounds to process personal data).
The Compliance Record will help you understand which records inside your CRM database you have valid legal grounds to process and which you may not. We will also be tying the concept of compliance into the email marketing tools we provide, so you will only be able to mailshot to those individuals who have valid Compliance Records. This ‘GDPR Mode’ will be an option you can turn on or off, depending on your requirements.
We will provide more details over the forthcoming weeks and months, but our plan is to have the 1st phase of functionality release by the end of 2017, 5 months before the deadline. If you are already looking to capture consent from your data subjects now, we would recommend using the Workbooks GatorMail solution and its online forms, which already provide the tools to capture and record consent today.