It has now been almost a year since GDPR became enforceable by law, after attending an event yesterday where I spoke a little bit about GDPR and marketing. I thought this would be a good opportunity to take a look at what has happened in the past year.
GDPR came in to effect on 25th May 2018. There was a huge panic around this time and we as a business were absolutely stacked with clients needing advice, wanting policies and guidance on what it even meant. The reasons for the reform of the law, made sense, there is no doubt it was completely necessary to update the law since the last act was 20 years old.
Ultimately it is there to protect individuals’s personal data by offering people genuine choice and control over how organisations use their data. and to make sure that organisations only store and use data where they have a lawful basis for doing so.
Remember there are SIX lawful basis on which processing can be applied and these are as follows:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
So a year on then, and it’s of course still being misunderstood and the 6 lawful basis for processing personal data brings me on to …..
YOU DO NOT ALWAYS NEED CONSENT!
Like seriously, it is overkill. An affirmative act of, for example booking a visit to a nursery online by inputting my details (because I did this this week) does not need a tick box to say ‘I consent to having my details stored for the purpose of booking a visit.’ Of course I do, the act of completing the form, selecting a time slot is ENOUGH and there is an implied consent there.
However, it would be necessary to have a tick box to say ‘I consent to being added to a mailing list’ as consent is the best basis for processing data in this way. The other lawful basis of processing here though is of course legitimate interest as it wouldn’t be wrong to assume that by myself booking a nursery visit I am clearly interested in what that nursery has to offer, there is a benefit to me and receiving future marketing for that reason would not be a breach. However I would always recommend getting consent over whacking someone on to a mailing list, unless you are tailoring you marketing very specifically to enquiries or existing clients etc.
Another overkill on consent I spotted this week was via my eldest daughters school, she was ordering her school leavers hoody as she is coming up to the end of year 6. On this form, I completed her name and ticked the size hoody I wanted to order along with the colour. There was then 3 tick boxes for consent, yes THREE. One was ‘I consent to having my daughters details stored for the purposes of printing on to the hoody’, well obviously! That is the whole contract here, relying on the contractual lawful basis of processing. They also wanted me to consent to having her details passed to a third party for the purposes of printing on to the hoody. Again yes of course, I have paid for the hoody, I have signed to say I want the hoody, just send me the blimming hoody. Whilst they may think they are doing everything in line with GDPR, they are doing it wrong and have missed off some important stuff. Consent isn’t needed here, a privacy notice is.
Throughout the year I have also been asked for my consent from both nursery and school to store both my daughters details. What if I said no? In fact I didn’t actually complete either of the forms requiring my consent. It simply just isn’t needed. Yes consent is a huge part of GDPR, but as an educational establishment they have legal obligations that require them to collect, process and store personal data and therefore you do not need consent to collect certain data from parents or children. Common sense really.
Then on the flipside, I am still seeing pre-ticked boxes on websites, some very high profile organisations too. I have still been added to mailing lists after an exchange of business card, and there are still incomplete privacy polices all over the shop.
IT HASN’T GONE AWAY!
Just because the hype isn’t there anymore does not mean it has gone away. The ICO are fining organisations, although maybe not the huge fines that were written into the regulation that everyone was concerned about, but they are. Google was imposed a fine of 50 million euros by the French data protection regulator as they said Google’s processes in relation to its advert personalisation lacked transparency, contained inadequate information and lacked valid consent. Facebook was fined £500,000 for collecting personal data about the friends of users, without those friends being informed that their data was being collected, and Several charities including Cancer Research UK, Macmillan Cancer Support and The Royal British Legion were fined various amounts for failing to adequately indicate in their privacy notices that personal data may be processed for wealth analysis to identify those who were in a position to donate more money.
Yes these are big companies, they are well known, but go on to the ICO website and you’ll see that there are smaller businesses too. Fines, and investigations are pending. Lets be real though, the smaller you are it is unlikely the ICO are going to come knocking at your door, but don’t ignore it. It is important not only because of the likelihood of fines but also on how your business is received. Get your marketing wrong, those you are marketing to will instantly take a dislike to you and of course that will not be effective.
It is worth noting here that these fines were not imposed due to marketing as such but the storing of data. GDPR is not JUST ABOUT MARKETING and where is is using Mailchimp does not automatically make you, as a data controller compliant.
I could blog forever about GDPR as there are so many different areas and topics regarding GDPR but I shall leave you with this …
THERE WILL BE MORE!
It may be hard to believe that businesses are due another set of digital regulations. Even though the ePrivacy Regulation is still in draft, and despite plans for 2019 there is no real idea of when it will come into play yet, it will work alongside GDPR giving businesses more liablity around digital privacy. As a regulation (rather than a directive), the new set of rules will provide a blanket law for all EU member states, and won’t need to be made into individual laws by each specific country. Regardless of brexit, whether we’re in and out it is highly likely we will write it into our own law anyway, because we usually do agree with the laws that are imposed on us.
From my understanding the ePrivacy regulations have been approved by the EU council and the negotiations will begin after the EU Parliament elections, so watch this space.