GDPaaaargh! The date has finally arrived, but there’s no need to panic
GDPaaaargh! The date has finally arrived, but there’s no need to panic
Unless you’ve been living under a rock for the last 3 months, you can’t help but have noticed how many companies have been emailing you saying how much they “hate goodbyes”, and will “miss you” from their email marketing lists.
Yes, GDPR requires a certain ‘tightening up” of process, but things have quite clearly got a bit out of hand and a certain amount of panic has set in. Companies are threatening to delete all their databases and even asking for permission to retain billing details from customers!
It’s likely you will have already done something about GDPR, but equally there will be many companies who have been so confused about it that the date has arrived and you’re still wondering what you ought to do.
After the Bullet Proof Agency Network GDPR event this week, I thought I’d jot down a few key points to consider. Of course, the usual “this is not legal advice” caveat applies, but it’s my interpretation based on yesterdays discussion from esteemed authority Steve Kuncewicz, partner at BLM Law.
When will my inbox get a break?
We’re all fed-up of “not another GDPR email” appearing in our subject lines, so why so many?
Historically, there were lots of people basically just sending out spam, casually adding people to mailing lists and completely ignoring the Data Protection Act. Those with something to fear under GDPR thought they ought to double check their lists and started sending emails asking people to confirm their opt-in - which in many cases, to people who had never opted in in the first place!
Other people have seen this, panicked and thought they need to do the same thing - hence a deluge of emails from every company you've ever dealt with. Only now it's got a bit stupid with companies asking people to just opt-in for the sake of it. This has often been without sharing their updated privacy policy or stopping to think how they could even do business with people without their data.
So believe me, I for one am hoping next week there will be far fewer emails flying around.
GDPR is really nothing more than the Information Commissioner turning up the volume on the Data Protection Act
Steve Kuncewicz, partner at BLM Law
GDPR is DPA with a stronger voice
GDPR is really nothing more than the Information Commissioner turning up the volume on the Data Protection Act (DPA). The DPA from 1998 has been abused by many organisations since it became law and has simply not kept pace with changes in technology, so it’s not a rewrite of the law, but builds on existing rules that have been around from several years. So, don’t panic or rush to send an email out because everyone has.
Do I need to get consent from all my customers?
More than likely you won't! We've had pretty good consent rules around email marketing for several years, but of course this can depend on how you gathered your data and whether you’re working in a B2B or B2C organisation.
Under GDPR, consent is only 1 way to comply with the lawful basis for processing personal data. Arguably it’s the hardest of all requirements to satisfy, but you do not need consent to simply hold personal data about people.
The other lawful bases for processing personal data are
- Contractual obligation
- Vital interests
- Legitimate interests
- Legal
- Public duty
If you’re entering into a commercial agreement with someone, both parties would normally be naturally giving consent for their data to be held as part of that contract. However, consent does then begin to play a part because GDPR considers how that data might be used - this is sometimes termed “unbundling of consent”.
Consent under GDPR must:
- Be specific
- Include an affirmative action
- Explain why personal data is being collected and how it will be stored (usually as explained in your privacy policy)
The so called “unbundling of consent” means you need to specifically ask users what they consent to. In short, you can’t collect data for one reason, but then use it for another, unless consent for the secondary reason has also been obtained. However, be wary of asking for consent on everything. You’ll create privacy fatigue, and if you’re already using platforms like Mailchimp for newsletters, then you will already have obtained consent. It would be worth noting this as part of your process, and perhaps consider recording what specifically the consent was for.
Update your privacy policy
If there's one thing you do, update your privacy policy and add it your website. You should tell people about the data you collect and why you collect it. If anyone else access to their data, you should mention them and explain why they also need to see it.
There’s a helpful primer for creating your privacy policy which you can download from the ICO.
You might also want to carry out a Privacy Impact Assessment which is basically like a risk assessment for your data. You’ll be forced to consider the ‘what ifs’ in case there’s a problem, and therefore minimise the risk with processing personal information.
Map your Data Stores
Where is the data you hold being stored? On a laptop? Memory stick? Website? External CRM, or mailing platform?
Try and outline the network of your data stores and refer to the safeguards that apply to each point. If you're not sure about which services you might be using, or the physical location of your data, we can trace this and create a network diagram that would form part of your compliance.
Audit Yourself and Document It
Look at where you’re collecting data and ask yourself if you really need to. If you find yourself having to justify whether you need certain data, then you probably don’t. In fact, if you can’t sum up your reasoning within a short sentence, it’s time to change the level of detail you hold.
Think back to the 6 Principles of GDPR and ask yourself, does it feel ‘right’.
Then document your decisions - why you can justify holding the data, when consent might have been given, when it’s reasonable to remove data and so on.
Still got work to do?
Well most importantly, don’t panic! Get in touch with us and we can see which steps you might need some help with. Whether it’s making your forms GDPR proof by asking the right questions or improving the user experience, or mapping out your data stores and collection points, we can offer some guidance and support to help you comply.
While there’s been talk of fines, the priority is to be able to demonstrate you’ve made steps to comply. This will most likely result in you getting guidance and help to fully comply, rather than simply being given a penalty.
And on that note, the ICO does have everything you need to know about GDPR on their site which is worth checking out, as there are elements that are being constantly updated.
There’s also ePrivacy Regulation coming soon?
ePrivacy Regulations are due to follow GDPR and are likely to come into force later in 2018.
You mean, we need to go through all this again, I hear you say?
Well hopefully the same levels of hysteria won’t flood your inbox, but in short, if GDPR is about the data you hold, then ePrivacy is about how that data is used.
Arguably, the ePrivacy Regulation could have a greater impact on businesses than GDPR though. Under current rules as an example, Business-to-Business (B2B) communications are treated differently to Business-to-Consumer (B2C), but this is likely to change when ePrivacy is introduced.
I think we can breathe a sigh of relief that there will be some respite for inboxes for a while though before getting too bogged down about ePrivacy. Don’t delay for too long though as it’s not that far off, so worth thinking about sooner rather than later.
Andrew Armitage
Andrew is the founder of multi-award winning A Digital and believes that technology should be an enabler, making a positive impact on the way people live and work.