GDPR

20th December 2017

Following the hugely successful WE Hub Huddle on the 19th December a number of you spoke to me with concerns for their own situation.

I now set out some basic points which may offer a little clarity. The important point to stress is to approach this calmly. The Information Commission Office (ICO) wants to see that suitable steps are being taken, and are not looking for perfection in outcomes although that is desirable.

GDPR which will pass into law on the 25th May 2018 and be known as the data Protection Act 2018, is about balancing the rights of the individual and their freedom, against the need to use their Personal data the use of which might be a breach of those rights. Brexit is an irrelevance here whilst this is a Europe wide initiative we will not deflect from these laws whether we are in or out.

A lot of information is readily available on ICO website at https://ico.org.uk/

Make a Start.

Start by reviewing your data:

Know what data you are holding

Know why you are holding it

Know how you are holding it

Know where it came from

Know who in your company is responsible for what

Know where you are at risk of a breach

Preliminary.

Let me cut to the point – data is absolutely anything at all that can identify someone. Anything. A phone number without a name; a cookie, an URL, notes in paper form and emails in virtual form. The key is if a person could be identified or tracked back. Carrying out a Google search on a person is a use of personal data. Old files stored in a garage in a filing cabinet – data processing. It pretty much covers everything. Simples.

PECR 2003.

A lot of you email from your database for various purposes. You need to be familiar with PECR the Process & Electronic Communications Regulations 2003. They apply now. You absolutely need an opt in consent to mail marketing material and more. More detail appears on the ICO website.

Register.

£35 pa and you will need to do this if not already done again it is all on the website.

To Consent or not to Consent?

Consent is the big question. When do you need consent? There is a lot of confusion around this and that is because the 2018 Data Protection Act cannot be read for your business in primary colours there are many shades. In other words, does this or that apply to what you are actually doing. This is not a one size fits all law meaning you must review and decide and no Blog can answer everyone, but it can act as a guide.

Consent is only one out of 6 grounds for lawfully processing data.

1 If you have a contract with an individual to supply goods or services, or under a contract of employment – no consent needed to process data, it is already deemed given.

2 Compliance with a legal obligation – you don’t need to ask for consent.

3 Vital interests – an example of this is if processing someone’s data will protect their physical integrity (hospital is one example) or life whether the individual’s or someone else’s.

4 Public duty – for example to complete an official function.

5 Legitimate Interest – this is a big exception and one a lot of you will look to use. When you have a genuine and legitimate reason (including your commercial benefit) to process personal data without consent it is not outweighed by the negative impact on personal freedoms and rights.

6 Consent.

You should not ask for consent if you don’t need to. The lawful uses for processing are reviewed above. Where you do need consent, you must devise a mechanism that requires a positive response or action to opt in. Saying it is on your Privacy Notice and by proceeding you are deemed to consent won’t do. Pre-ticked boxes won’t do, (post ticked boxes will, the individual took a positive step to tick it). Here are some ideas you may have others:

  • Signing a hard copy consent statement on a form;
  • Clicking an opt in button or online link;
  • Responding to an email requesting consent;
  • Answering “yes” to a verbal request (but be careful to document this);
  • Dropping a business card into a box set up for the purpose;

The point is that the consent must be informed, (very important to set out each and every use the data will be put to and that is essential for example we will contact you for marketing or to keep you updated and so on), transparent, made without duress (i.e. they have no choice, consent or else . . .) and freely given.

The challenges with consent as opposed to another lawful ground is that it can be time consuming and risky to rely on consent. For instance, if you are using consent to process personal data for one purpose and want to next use it for another and they weren’t informed at the beginning you must ask all over again. Anyone who refuses consent or doesn’t reply to you must, be removed from your records.

Individuals can withdraw consent at any time (a freedom) which means that you must remove them from your records. You cannot ask anyone who has opted out if they want to reconsider. This has resulted in a number of fines being levied by the ICO it just cannot be done. Problems, arise usually after a complaint meaning a dissatisfied customer, so be aware. Keep the customer sweet!

Reporting.

There is a new obligation to self-report and you have 72 hours and not longer. The suggestion is to notify the ICO of the breach and tell them that more details will follow. As things stand the ICO are not interested in small breaches only major breaches. They are stretched thin and there is a time lag which I was told is presently 6 months to respond (I imagine this does not apply to major breaches).

Some quick final Q & A’s.

  • What about B2B marketing? – it makes no difference the same applies. Personal data will include a business email address.
  • Is someone handing me a business card, consent? – No, just handing over a card on its own is not consent. It must be informed, transparent and freely given so the information must be given first. Above I gave an example for using a business card as part of the consent process, but it must still be after being told the uses the personal data will be put to.
  • How about sending transactional emails to clients/customers? – You don’t need consent for this for instance sending your customers invoices.
  • Do I need consent from each individual person on my database? – yes, apart from transactional ones and of course if you aren’t relying on consent as your lawful grounds then no.
  • What happens if a customer gives me someone else’s details? – you still need that person’s consent.
  • How about existing contacts I have on my CRM database? – existing contacts are treated no differently from new contacts and this will be disappointing for some of you where you are falling back on consent as the lawful ground. Apart from transactional emails if you don’t have the individuals consent already, you have to ask if you want to email them after 25th May 2018.
  • How do I get consent from my existing contacts? – a good way to gather consents from existing contacts is to send them an email asking them to access a webpage and give consent.
  • Can I send an email out asking for consent from someone who hasn’t already given it? – Up to 25th May next year, yes. After that you need prior informed consent.
  • What about outside of the EU? – GDPR only applies to EU citizens.
  • Can you ask people to click if they don’t want to receive something for instance a newsletter? – No. You need a positive opt in not passive opt out.
  • Can you rely on your Privacy Notice which says by continuing they give their consent? – no. Again, this is passive and not a positive opt in.
  • How does GDPR affect bundled data lists that are purchased? – Lists where an individual has allegedly consented to their personal data being used to be sold to 3rd parties are now outlawed. A proper consent is where a person allows themselves to be contacted from a specific organisation about a specific product or service. Marketing emails need prior consent. So, you cannot send emails to a purchased list no matter what the vendor tells you – they will be in breach if they sell you a list containing EU citizens.
  • How about non-personal email addresses? – email addresses such as info@ or sales@ are exempt they are not personal, so no consent required.
  • What about contacting people over Skype or WhatsApp? – consent still required.

Alex Marks – Work Avenue Business Adviser – www.theworkavenue.org.uk