Only the EU could make data protection a hot topic of conversation. Its GDPR (General Data Protection Regulation) legislation comes into force in one month’s time, after which businesses will be liable for massive fines if they fail to comply.
You’d think, from the relentless barrage of advice from consultants over the last year, that we’d all be fully prepared by now, but apparently not. A January survey of 1,000 senior executives across Europe found that 60% were unprepared for GDPR. In February, the Federation of Small Business (FSB) determined that 34% of small firms had only little understanding of the legislation, and 18% weren’t even aware of it.
The basic principles are quite easy to get your head around: you can only use personal data for the explicit purpose for which it was collected, then you have to delete it; people have the right to be informed about the data you have on them, and the right to make you delete it.
But the devil will be in the details: expect a wave of misunderstandings to proliferate over the summer.
To save you some heartache, MT visited The Supper Club, which has produced a detailed, practical guide to GDPR with Learn Amp. Here are five thorny questions their members raised, with expert answers.
DATA STORAGE: How long can data can be stored, what needs to be deleted, and why?
‘Data can only be stored for as long have you have legal grounds for storing it,’ says Peter Borner, Senior Consultant at The GDPR Guys. ‘Financial data often has to be stored for 7 to 10 years. Employee data needs to be stored for as long as you need it to defend yourself against industrial tribunals. Customer data is generally stored for the length of your normal sales cycle. It is a case by case decision.’
SUBJECT ACCESS REQUESTS: Can requests be made on someone’s behalf?
‘Businesses have been worried about a PPI style claims industry growing out of (Subject Access Requests), with companies doing it on behalf of individuals,’ says Suzanna Chaplin, co-founder of ESBConnect. ‘Fortunately, the ICO has specified proof of ID from whoever makes a request which also addresses the risk of giving personal data to the wrong people.’
CONSENT: Is consent the only way to gain permission for email marketing?
‘Consent is not the only means of gaining permission for email marketing,’ says Steve Henderson, compliance officer at Communicator. ‘PECR [Privacy and Electronics Regulations – sister legislation to GDPR] also allows email marketing, in certain circumstances, to existing customers and those in negotiations for a sale or service.
‘Those circumstances are: where the email address was provided during the sale or negotiation process; where an option to opt-out was provided; where the marketing is limited to goods and services relating to the purchases or customer relationship; and where the customer is given an option to opt-out in each message. This situation is sometimes referred to as a "soft opt-in’’.
LEGITIMATE INTEREST: Do you need to regain consent for prospects before 25 May 2018?
‘Legitimate interest may be a better option for communicating with current customers instead of consent,’ says Peter Galdies, founder of DQM GRC and DataIQ. ‘There looks to be a "one-time" opportunity to make this change prior to May 25th. You need to document this decision, the balancing argument for legitimate interest and recognise that this will only be valid for those customers who are currently active. Consent will not be required; instead you will have to offer an opt-out from the processing.’
COMPLIANCE CONSULTANTS: What do you need a specialist for and what can be done inhouse?
‘You might not need to outsource everything and only need advice and guidance,’ says Joanne Smith, founder of TCC Group. ‘The only way to decide this is to understand the full journey for getting GDPR compliant. A good consultancy will explain what this looks like and help you to find your internal gaps in knowledge, skills, and resource that they can fill. This will help to prevent you paying for services you don’t need.’
Click here to download the Supper Club’s free guide to GDPR.
Image credit: Michael Traitov/Shuttestock