Understanding and complying with GDPR, the new data protection law coming into force in May 2018, can be intimidating for marketers in small-medium organisations and agencies already pushed for time and resources.
Faced with the risk of financial and reputational penalties from the Information Commissioner’s Office (ICO), it can be a challenge to know where to look for guidance.
Help is at hand from the very same enforcement body, the ICO. Perhaps based on the premise that prevention is better than cure, the ICO produces practical advice on its website (ico.org.uk) and offers a dedicated support line (0303 123 113).
Information Commissioner Elizabeth Denham said: “Small organisations… are less likely to have compliance teams, data protection officers or legal experts to advise them. Our new phone service and all the other resources already on our website… will help steer small businesses through the new law.”
What is the ICO?
The ICO is an independent authority that upholds information rights in the public interest, promoting transparency by public bodies and data privacy for individuals. It has the authority to prosecute, enforce and audit businesses it suspects of non-compliance with GDPR come May 2018.
It holds responsibilities in eight key areas:
A register of data controllers
Currently, the Data Protection Act (DPA) 1998 requires every organisation that processes personal information to register with the ICO - unless they have a special exemption. The ICO publishes this searchable register of nearly half a million (498,108) data controllers on its website.
Upholding legislation for specific acts and regulations
The ICO upholds information rights for:
- Privacy and Electronic Communications Regulations (PECR)
- Freedom of Information Act
- Environmental Information Regulations
- INSPIRE Regulations
- eIAS Regulation
- Re-use of Public Sector Information Regulations
Handling enquiries, concerns and complaints
You can find out more about how the ICO deals with the tens of thousands of issues raised each year by the public by clicking here.
Taking action for data protection
Criminal prosecution, non-criminal enforcement and audits are the three powers the ICO has at its disposal to deal with suspected transgressions. Currently, under the DPA, the ICO can levy a fine of up to £500,000. Under the GDPR, this will increase to up to 20 million euros or four per cent of worldwide group turnover (whichever is greater). Fines aside, a marketer will understand the damage an action could cause to a brand.
Taking action for Privacy Electronic Communications Regulations (PECR)
Taking action for freedom of information and environmental information
You can find out more about this plus enforcement action on the website.
The ICO has a duty to co-operate with European and international partners on sharing information and good practice, helping with complaints, investigation and enforcement, and working to help understanding and guidance. You can find out more here.
A grants programme
A key focus for the ICO is to promote good practice surrounding privacy and data protection issues. Their grants programme supports independent research into these areas.
How the ICO can help marketers with GDPR
The ICO marketing section of its website focuses on direct marketing, including telemarketing. It provides some key tips on compliance in:
- Marketing campaigns
- Email marketing
- Postal marketing
- Requests for personal information
Useful materials include its “Direct marketing” guide, but the best place to go, is the “Getting ready for the GDPR resources” page on the “Resources and Support” section of the website. It includes:
- A series of GDPR myth busting blogs
- Guide to the GDPR (this is very comprehensive)
- Data protection self-assessment toolkit
- GDPR FAQs
- Preparing for the GDPR: 12 steps to take now
To help marketers prepare for the new regulations, the Chartered Institute of Marketing (CIM) has collaborated with Me Learning to develop an e-learning course titled GDPR - for Marketers. To find out more click here.