A Beginners Guide to GDPR

Data

At Alexander Business & Law Solutions I find that nearly everyone I speak to wants to know about GDPR (General Data Protection Regulations). And rightly so it will affect pretty much all of us.

Here are some basic points, regarding a complex area, which should offer some clarity. The important point to stress is to approach this calmly. The Information Commission Office (ICO) wants to see that suitable steps are being taken, and are not looking for perfection in outcomes although that is desirable.

GDPR will pass into law on the 25th May 2018 and will be known as the Data Protection Act 2018. It is about balancing the rights of the individual and their freedoms, against the need to use their personal data, the use of which might be a breach of those rights. (Brexit is an irrelevance here, whilst this is a Europe wide initiative we will not deflect from these laws whether we are in or out).

Make a Start.

Start by reviewing your data:

Know what data you are holding

Know why you are holding it

Know how you are holding it

Know where it came from

Know who in your company is responsible for what

Know where you are at risk of a breach

Preliminary.

Let me cut to the point – data is absolutely anything at all that can identify someone. Anything. A phone number without a name; a cookie, an URL, notes in paper form and emails in virtual form. The key is whether a person could be identified or tracked back. Carrying out a Google search on a person is a use of personal data. Old files stored in a garage in a filing cabinet – data processing. It pretty much covers everything. Simples.

PECR 2003.

A lot of you email from your database for various purposes. You need to be familiar with PECR the Process & Electronic Communications Regulations 2003. They apply now. You absolutely need an opt in consent to mail marketing material and more. More detail appears on the ICO website.

Register.

 £35 pa and you will need to do this if not already done again it is all on the website.

To Consent or not to Consent?

Consent is the big question. When do you need consent? There is a lot of confusion around this and that is because the 2018 Data Protection Act cannot be read for your business in primary colours there are many shades. In other words, does this or that apply to what you are actually doing. This is not a one size fits all law meaning you must review and decide and no Blog can answer everyone, but it can act as a guide.

Consent is only one out of 6 grounds for lawfully processing data.

1 If you have a contract with an individual to supply goods or services, or under a contract of employment – no consent needed to process data, it is already deemed given.

2 Compliance with a legal obligation – you don’t need to ask for consent.

3 Vital interests – an example of this is if processing someone’s data will protect their physical integrity (hospital is one example) or life whether the individual’s or someone else’s.

4 Public duty – for example to complete an official function.

5 Legitimate Interest – this is a big exception and one a lot of you will look to use. When you have a genuine and legitimate reason (including your commercial benefit) to process personal data without consent it is not outweighed by the negative impact on personal freedoms and rights.

6 Consent.

You should not ask for consent if you don’t need to. The lawful uses for processing are reviewed above. Where you do need consent, you must devise a mechanism that requires a positive response or action to opt in. Saying it is on your Privacy Notice and by proceeding you are deemed to consent won’t do. Pre-ticked boxes won’t do, (post ticked boxes will, the individual took a positive step to tick it). Here are some ideas, you may have others:

  • Signing a hard copy consent statement on a form;
  • Clicking an opt in button or online link;
  • Responding to an email requesting consent;
  • Answering “yes” to a verbal request (but be careful to document this);
  • Dropping a business card into a box set up for the purpose;

The point is that the consent must be informed, (very important to set out each and every use the data will be put to and that is essential. For example: “we will contact you for marketing” “or to keep you updated” and so on). Consent must be transparent, made without duress (i.e. they have no choice, consent or else . . .) and freely given.

The challenges with consent as opposed to another lawful ground is that it can be time consuming and risky to rely on consent. For instance, if you are using consent to process personal data for one purpose and want to next use it for another and they weren’t informed at the beginning you must ask all over again. Anyone who refuses consent, or doesn’t reply to you must, be removed from your records by 25th May.

Individuals can withdraw consent at any time (a freedom) which means that you must remove them from your records. You cannot ask anyone who has opted out if they want to reconsider. This has resulted in a number of fines being levied by the ICO, it just cannot be done. Problems, usually arise  after a complaint meaning a dissatisfied customer, so be aware. Keep the customer sweet!

Reporting.

There is a new obligation to self-report and you have 72 hours and not longer. The suggestion is to notify the ICO of the breach and tell them that more details will follow. As things stand the ICO are not interested in small breaches only major breaches. They are stretched thin and there is a time lag which I was told is presently 6 months to respond (I imagine this does not apply to major breaches).

Some questions I get asked are these:

  • What about B2B marketing?
  • Is someone handing me a business card, consent?
  • How about sending transactional emails to clients/customers?
  • Do I need consent from each individual person on my database?
  • What happens if a customer gives me someone else’s details?
  • How about existing contacts I have on my CRM database?
  • How do I get consent from my existing contacts?
  • Can I send an email out asking for consent from someone who hasn’t already given it?
  • What about outside of the EU?
  • Can you ask people to click if they don’t want to receive something for instance a newsletter?
  • Can you rely on your Privacy Notice which says by continuing they give their consent?
  • How does GDPR affect bundled data lists that are purchased?
  • How about non-personal email addresses?
  • What about contacting people over Skype or WhatsApp?

For answers to the above contact Alexander Business & Law Solutions.

This Blog is presented in order to give a GDPR overview in a clear and straightforward way. It is not intended as an advice to you or your business that can be relied upon. Every business is different in some way and needs specific stand-alone advice.

Alex Marks founder of Alexander Business & Law Solutions

Alexander Business & Law Solutions are business mentors and advisors at https://www.alexanderbls.com/

Blog originally published here.
To submit your blog to Laurel Leaf Networking, click here.

Author

Leave a Comment

Your email address will not be published. Required fields are marked *

Join Our Directory
Join Our Directory

Sign-up to Our Newsletter

Don’t miss out! Receive our fabulous weekly newsletter showcasing our trusted businesses, events, offers and blogs. We’ll also send you information about our upcoming networking events.

Join our Facebook group facebook.com/groups/laurelleafnetworking