The implementation date has been and gone and whilst there was a lot of unnecessary panic and worry. It is clear that since the hype of it all, many businesses are failing to implement simple practices to ensure they continue being or ever were GDPR compliant.
We are often asked by our clients ‘will this document make me compliant’? The short answer is ‘no’.
Unfortunately, the internet is still overloaded with GDPR compliance stuff that isn’t exactly always correct and understandably this can be super confusing for any business owner. My advice would be look at the source, are they credible? If you rather 1 on 1 advice speak to someone you trust in a professional capacity and someone who can simplify it so you completely understand it.
Personal Data as a definition, has become wider – so any information that can directly or indirectly identify a person is now considered as personal data. So that’s names, photographs, telephone numbers and emails. This includes business emails such as mine email@example.com but not our generic info@ address
The answers to these questions will help you identify weak spots in your current policy and will highlight where the issues are. If you’re not sure how you collected the data or whether you asked for consent or not, then that’s clearly a problem and it needs to be addressed. By getting an overview of the current data you hold and how you use it, you’ll be able to see what is needed to ensure GDPR compliance.
Bear in mind, it is only lawful to process data in certain circumstances and you need to be clear on what your basis is for each set of data you’re holding. If you have a contract with someone, for example, it is lawful to use the data to fulfil your obligations under that contract – this would include your employees, customers and suppliers. It is also lawful if you’ve obtained consent from the individual. Just make sure you are clear on what basis you are using. Take a look at the ICO website if you’re not sure – they have some useful guidance.
It is a good idea to delete unnecessary data.
Depending on how long your business has been operating, it is likely you have a lot of data that is no longer needed and has no benefit to your business whatsoever. By cleansing your database not only will you be more focused with who your real prospects and clients are, you are also reducing the risk of any breaches.
Not only that, how do you know this data is even still correct if it is years old, which is one of the principles of the GDPR.
Marketing is probably the biggest worry surrounding GDPR, although this is predominately covered under the Privacy Electronic Communications Regulations. The GDPR does not replace PECR – it has widened the definition of consent. You need to comply with both GDPR and PECR for even your b2b marketing.
Again, consent is not the only way to market but you do need to be clear on what lawful basis you are relying on. Consent must be freely given (so no pre-ticked boxes or schemes to build a marketing list); this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt in. By saying ‘Enter my competition with your email address but by doing this you agree to all future marketing’ is not a positive opt-in.
I would also be very clear in any emails you send why you are sending this email. ‘You are receiving this email because … ’. Not only is it being clear and transparent (another principle) it is excluding the possibility of the recipients complaining about your method of contact. The email may be perfectly legit but by saying why it is avoids any misunderstanding and appearing like you have ignored GDPR all together.