We’ve been asked by a number of clients recently about the new GDPR. Our advice is act but DON’T PANIC!
The purpose of this article is not to go into the ins and outs of the GDPR as you’ve probably read an awful lot on it. The purpose of this article is to stop organisations committing business suicide.
You will all be very familiar by now with the abundance of “let us know we can still contact you” emails and letters.
Most of the recipients probably don’t mind receiving your newsletters, but, how many of those emails will actually reach it's intended audience and how many people do you think will actually take the time to respond with a “yes, please contact me”. Probably less than 10%. Now, divide your turnover by 10% and that’s the harsh reality of what you will be left with.
The GDPR is essentially new European regulation about data privacy and specifically about personal data. It brings all the decades old legislation up to date with today's technology and how business operates in the 21st century. So what should you be doing? This is definitely the case where one size doesn't fit all but it's not a scary as you may think
What is Personal Data?
Personal Data is ANYTHING that will allow you to identify a living person or connect snippets of data together to allow you to create a profile of a person who can be identified.
You need to know what data you have and where you keep it.
ACTION POINT: Think about what data you have and categorise it:
Know where you keep it, whether it's in a filing cabinet or on computer. It matters where you store your data as if it's stored outside the EU, the EU doesn't necessarily trust other countries with that personal data.
Think about how you process that data and WRITE IT DOWN. This doesn't need to be chapter and verse, it could be a paragraph or two. In you were ever investigated, you then have proof that you've been through the audit process and recorded how the data is processed.
Then think about what the legal processing of that data is from the list below. Data beings to the individual not the company. You only have the right to take data that you have a legal justification for doing so. If you don't have a legal justification, you must delete it.
The GDPR rules state you must have a good reason to keep data. The 6 reasons under the GDPR are:
1. You need the information to fulfil a contract e.g. delivery address for an purchase.
2. Legal Obligation e.g. if you have employees, you have a legal obligation to keep that information on them for 7 years.
3. Legitimate Interest - it's in the interest of your business and the customer to be able to communicate with them.
4. Consent - the customer (data owner) has explicitly given consent to be contacted by you/your business.
5. For The Good Of the Public e.g. if an ambulance service needed personal data to save someone's life.
6. Government have a right to keep full data.
Most businesses will only be concerned with rules 1-4.
In order to market to your list of data, you need to comply with one of the rules above.
You will mainly be concerned with legitimate interest and consent. This is where most of the confusion has come from.
Let's take an example:
You want to email a customer who purchased something from you 2 years ago. You can continue to do this without asking them to tick a box. They have legitimate interest in what you are selling, they've bought from you before, they are probably in the market for that sort of product or service again. it is in your legitimate interest as a business to contact and communicate with that customer.
The test is that it is not detrimental in some way to the customer, that you're not spamming them daily or being a nuisance. You can rely on using data for marketing activities if you can show that the way you use people's data is proportionate and reasonable.
The Information Commissioner Office Website clearly states "the processing of personal data for direct marketing purposes may be recognised as carried out for legitimate reasons"
The consent statement as defined by GDPR has become much more specific. If you are relying on Consent for your reason to market a customer, you are required legally to put in a very detailed consent statement. So for example, if you have 3 product areas and a customer goes to your website to download information on product area A, you should have a consent statement that says tick the boxes if you want information on products area A, area B, area C etc.
Not many customers are going to tick this statement so this method is best avoided for businesses.
So can you just rely on Legitimate Interest? If you can justify that it is reasonable to contact the customer in the way that you are then yes. The exception to this is if you are dealing with highly sensitive data such as children, medical records, gender, religion, disability details etc. In these cases, you may want to have a consent statement and we would recommend you seek an expert for advice on this.
The lowest risk category is in the business to business category, because most of that information is already in the public domain. There is also an easier justification for legitimate interest.
It should be brief, easy to understand, describe the kind of data in broad terms and in broad terms what you do with it.
You must give people the right to unsubscribe from mailing lists and receiving communications.
If asked, you must supply to that person, all the information you have on them.
You must correct any information you hold if you have been advised it is incorrect.
Customers have a right to ask you to delete all the information you hold on them, which you must do unless you are legally obliged to keep that information (e.g. for HMRC).
It is good practice to keep a "do not contact" list to prevent accidentally mailing anyone who has decided they want to be unsubscribed.
Every marketing email must have an unsubscribe option.
If you are called upon, you will need to show you are being fair and reasonable and are attempting to do the right thing by the legislation. You will need to show that you have given thought to the regulations and are taking reasonable care to avoid any breaches. Ensure you have written statements outlining the data you hold, what you do with it, your privacy, complaints and unsubscribe policy to hand.
If your data is breached, record the breach, take the appropriate action to rectify it and prevent future reoccurrence. You are not required in every circumstance to report the breach. It is recommended you seek advice from a solicitor in these situations.
These rules will undoubtedly change over the coming months as they bed in. This article should not be taken as legal advice but as a guide to understanding the Regulations.
If your business generates over £1 million in sales, you should engage a GDPR specialist for a full audit.
References :Jim Simpson, GDPR Specialist, ICO. The information in this article is correct at the time of writing. This document is not intended to take the place of legal advice and if in any doubt as to your obligations, legal advice should be sought from a qualified person. 20 May 2018