General Data Protection Regulation

The Top 10 questions and answers from our recent seminar with guest speaker Jeremy Holt of Clark Holt Commercial Solicitors.

1. What is GDPR about?

The General Data Protection Regulation is a development of existing data protection legislation and applies to all personal data. This is any information that can directly or indirectly identify a natural person, and can be in any format. Personal data must be processed according to the six data protection principles:
• Processed lawfully, fairly and transparently.
• Collected only for specific legitimate purposes.
• Adequate, relevant and limited to what is necessary.
• Must be accurate and kept up to date.
• Stored only as long as is necessary.
• Ensure appropriate security, integrity and confidentiality.

2. Does GDPR apply to Direct Mail?

Yes it does. Any data that includes personal details is covered by GDPR so, for example, if you were to send a letter to “The Managing Director, Acme Trading Ltd.” this would not include personal data. However, if the same direct mail piece was addressed to “John Smith, Managing Director, Acme Trading Ltd.” then it would be classed as personal data. This also applies to email addresses and therefore email campaigns.

3. Should you re-opt-in current clients on a database?

It would be good practice to contact them and re-acquire their consent if there is any ambiguity as to how the data was collected and how consent was obtained. One of the key principles required under GDPR is to be able to demonstrate that you have lawful processes in place and that you can evidence valid consent has been obtained: That consent must be freely given, specific and unambiguous. A request for consent must be intelligible and in clear plain language. Silence or pre-ticked boxes after May 2018 will no longer suffice as consent. It should also be remembered that consent can be withdrawn at any time and the common practice in existing email campaigns – to ensure there is an unsubscribe option within the footer of the email – should be continued.

4. Does GDPR affect business data?

Any data that includes personal information such as a person’s name with a company email address is affected. Many businesses hold a database of customers which will include personal information and that information can be held as there is a “legitimate interest” to do so i.e. a trading agreement between the two parties. There is no problem with continuing to hold such data but it must be kept accurate and safely stored. Legitimate interest, for example, would also apply to a database of members who have paid and subscribed to be a member of a gym or trade organisation where communication can be expected.

5. Is there a “grace” period?

It is likely that The Information Commissioner will be lenient in the first 12 months provided a company can show they are working towards compliance. However, if the requirements have been ignored the heavy penalties that can be imposed may well be enforced: These can be up to 4% of annual worldwide turnover or €20 million.

6. What if the data is stored in the cloud?

Make sure it is within the UK or within the EU. The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process the personal data of individuals residing in the EU, even if they’re not EU citizens. Data held outside, particularly in the US and India, should be avoided as the appropriate safeguards are not in place. The responsibility remains with you as a business (the data controller) to ensure compliance with GDPR. You should seek written assurance from any third party that holds your data that they are GDPR compliant and that the data is stored within the EU. Within the regulations this is where the definition of data controller and data processor come into play. The data controller is the business that “owns” the data and must create rules and processes to ensure the data is securely held, accurate and there is a legitimate reason why you hold the data. The data processor is a third party to whom you give responsibility to perhaps use the data for social media or digital marketing campaigns.

7. What do I have to put on marketing emails?

You must give the recipient the opportunity to unsubscribe. If they ask you must also give the opportunity for them to be “lost” (i.e. never contacted again) and you must keep a record of those individuals. The ability to unsubscribe is already a legal requirement under the Data Protection Act and so there is no major change in this area. To whom you send those emails is where there is a significant change.

8. How long can I keep records?

You may keep records for as long as is legitimate for your business purposes but this should be defined in your privacy policy and be a specific period (not open ended). Those working in the financial sector will have rules and governance from HMRC as to how long records are required to be kept.

9. What if there is a data breach?

You must report it to the Information Commissioner and in certain circumstances also tell the individuals affected. The GDPR requires organisations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into detailed written agreements with data processors.

10. Where can I get further robust information?

The Salesforce website is recommended as a good source for additional information. A pdf copy of Clark Holt’s presentation at our recent seminar for clients of WTWS can be downloaded below.

GDPR Presentation Clark Holt