We have heard that data protection law is changing – is there anything we need to be aware of?
Sarah Hewitt a Solicitor in our Corporate and Commercial team highlights what you need to know about the changes to The Data Protection Act and how these will effect your business.
Q: As a tourism business we regularly send our customers direct marketing material via post and email with new and exciting offers. We have heard that data protection law is changing – is there anything we need to be aware of?
A: The Data Protection Act 1998 (DPA) currently regulates the control and processing of personal data in the UK but from May 2018 the General Data Protection Regulation (GDPR) will come into force, imposing a number of onerous obligations on organisations.
In order to process personal data (including postal and email addresses) businesses need the data subject’s consent and under the GDPR the standard of consent will become higher. In particular, consent will have to be freely given, specific, informed and unambiguous and it will also require some form of clear affirmative action from the data subject - pre-ticked boxes. Silence or inactivity will not suffice.
You will therefore need to consider how you currently obtain consent from your customers to receiving marketing material and whether in light of the GDPR your procedures need to be updated. In relation to existing customers that you already send marketing material to, whether you will be able to legally continue to send such material ultimately depends on what sort of consent to processing you originally obtained from them under the DPA.
In principle, you will not be required to obtain new consent from individuals if the standard of the original consent meets the higher standard required under the GDPR. Email marketing already requires a higher form of consent under the Privacy and Electronic Communications Regulations 2003 so if this has been your preferred method of communication in the past, there may be a greater chance that you are already GDPR compliant. It is important to review your current policies to avoid non-compliance with the GDPR.
Under the GDPR fines for data protection breaches will rise from the current maximum of £500,000 to €20million or 4% of global annual turnover.