11 Jan GDPR and How to Prepare for it
GDPR is coming, are you ready?
This time last year we also gave you the heads up.
Doesn’t it just drive you crazy when you’ve unsubscribed from an email list to find that they seem to have re-subscribed you and you keep getting those emails through still?
Well, stress no more because as of May this year, any business that stores your data, communicates with or markets to you will get in serious trouble if they continue this sort of behaviour!
In January 2017 we reported on the big change which comes into full force on Friday 25th May 2018 and it’s called General Data Protection Regulation (GDPR). This will impact all UK business regardless of our Brexit from the European Union.
This is not something you will want to leave until the last minute or even consider not taking notice of because regardless of your business size, once this comes into full force if you’re not ready, it could be extremely costly and damaging for your business both financially and to your brand reputation.
Breaking this law by not following its rules or being reported by one of your customers could result in fines of up to £17m or 4% of your global annual turnover! Depending on business size obviously but this isn’t something to be taken lightly.
The bottom line is, if you ask for someone’s personal data in order to communicate with them or market to them, then you should be able to explain to them exactly what you need it for and how you intend to use it. The person giving you their information is now in control.
Consent is the key word here.
If you require someone’s data then they must have given you consent from the get-go and you must retain a record as proof of consent. If the person then asks you to remove their data or to be ‘forgotten’ then you must delete their data with immediate effect.
Here’s what you need to do at the very least:
- Look at the information you hold on individuals and business contacts
- Look at where you obtained this information from and who has access to it
- Consider all the different areas in which duplicate information might be held
- Review your privacy policies and include the ICO recommended information in plain language easy to understand and interpret
- Consider how you delete personal data as requested and who is responsible for this role
- Plan how you will react and respond to held data access requests in a timely manner
- Review your Lawfulness Processing of personal data (see below)
- Look at how you obtain/ed consent from past, present and future people
- If you require content from minors it will be essential for you to obtain consent from their parent or guardian
- Plan how you will deal with any data breaches to ensure you can detect, investigate and take action where necessary
- Designate a Data Protection Officer to deal with the compliance and if your business is global you will need to ensure you carry out the required cross-border checks as necessary
Lawfulness of Processing
The use of data is lawful if one of the following is applied when obtaining and handling the data:
Consent is given to process their personal data
Data is necessary for the performance of a contract
Processing is necessary for legal compliance;
a) to protect the vital interests of a data subject or person
b) for the performance of a task carried out in the public interest
c) for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
For further details on the steps you should take now, please click the link below:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
If you’re B2C it is likely that you already have an opt-in option for your customer base to receive marketing material from you and for you to utilise their data for this purpose. If you don’t then you’ve already been breaking the law, so we suggest you get on that right away!
You will then need to get your existing customers to opt-in so you can ensure you have their consent to communicate with them in this way going forward.
If you’re B2B you need to ensure that all of the above elements are in place and it would be wise to gain consent on all marketing too. Better to be on the safe side by implementing every element required already, although some B2B aspects are still being ironed out.
Opt-in could be a sign up form where they manually enter their details, are then sent an automated email explaining exactly what you will do with their data and requesting them to confirm their subscription or ‘consent’, by clicking that link or check box you then have their full permission to utilise their data as you laid out in your intentions.
This way you have a digital trail of who opted in, when, how and can easily remove their data should that be requested. ‘Double Opt-In’ is always the best way to go.
All data must be kept up to date, accurate, secure and kept for no longer than is necessary.
The ICO provides a handy code of practice for a privacy impact assessment here: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
If this has made you think about your own database then please get in touch with us to discuss further as we would be only too happy to help ensure that you’re 100% digitally compliant in whatever way we can when this comes into force this May.