What You Need To Know About GDPR
Carole Fossey (LION)
?Helping busy coaches generate actual clients authentically without 'selling'. ? Digital Apprenticeship ?LinkedIn Coaching ?Done For You Social Media ?Hootsuite beating software. Connect and let’s chat
Well, it is nearly upon us. On May 25th 2018, GDPR will apply to every business in the UK. And every business not in the UK if they are processing data about people IN the EU. Will we still need to comply with this bearing in mind Brexit? In all probability. Yes, we won’t be subject to EU law, but it is likely this particular piece of legislation will be just as relevant in the UK after Brexit as it will be from May 25th.
There is a lot of talking about GDPR, and a lot of scaremongering. Let’s get really clear on something.
If you were already respecting people’s privacy, not spamming them, being really clear on what people are opting in for and keeping your data safe – then nothing will change for you. This is not a whole load of unnecessary legislation created to annoy or inconvenience small business owners.
This is legislation to stop repeats of Facebook/Cambridge Analytica (before they even knew about that). It is aimed at Big Data really – although it clearly covers everyone. But it is nothing to panic about.
If one person on someone’s list complains about being emailed, but having said that, they have been emailed every week for the last 6 months, then the data protection people will just politely suggest they unsubscribe – which you have given them every opportunity to do every time you email them right?
So why are all the big companies dropping into your email box asking you to actively subscribe and should you do the same?
Short answer – NO you shouldn’t (if you have done everything right up to now). Longer answer – if you have been in the habit of gaining peoples emails without their consent, or when they thought they were opting in for something else, or because the ‘opt in’ boxes were already ticked, or because the person was really confused by all the long-winded jargon and didn’t KNOW they had opted it – then YES you should email them and gain their consent.
Because THIS is what a lot of big companies did, or they bought data they can’t know be certain was properly opted in. They are not really sure about their data and therefore they can’t risk NOT sending those emails.
But if YOUR list is totally aware of who you are, and that you email them your blog every week, and have been doing for years, and there is always an unsubscribe button, then personally – I think you’re fine. Of course, I am not a lawyer and this shouldn’t be taken as legal advice. Look into it yourself, but just use your common sense.
Those companies who ARE now feeling the need to ask their lists to opt-in (because they didn’t do that in the first place), are finding the opt-in rate averaging 2 %. You have been warned!
OK – so let’s look at some of the things you do NEED to be aware of.
- You have to ensure consent is explicit, rather than implicit. Silence, pre-ticked boxes, or inactivity may thus not constitute valid consent. Check all your landing pages / opt-in emails to make sure there are clear and people know what they are opting in for.
- Everyone has the right to be ‘forgotten’ which means if they ask, you have to delete all data you hold about someone.
- Parental consent is required when offering information services directly to a child under the age of 16. Member States may choose to lower the age level to 13.
- There is nothing global in GDPR about data held for HR purpose – each member state can specify their own rules. So, if you have staff watch this space for news on how you can process their data.
- You probably don’t need a data protection officer under 250 staff.
- If you become aware of a data breach you must notify the individuals concerned and the DPA within 72 hours at the latest. Unless there is no risk to the individual in which case you can choose not to – but you must keep a record of this and of your reasons, and be prepared to justify it.
- You cannot charge someone for requesting their data, you must now provide that free of charge.
- Now would be a good time to review your security arrangements – password protection, encryption, firewalls, anti virus, storage and make sure they are up to scratch.
- As a business of fewer than 250 employees, you do not need to create processing records except if there could be a risk to the rights and freedoms of data subjects, or you are processing any ‘special categories’ of data (like health, sexual orientation and so on) or about criminal convictions. But you must know the data you are holding and why you are holding it.
If any of that boggles your mind then contact your lawyer for clarification, it’s important to get this right, but equally important not to panic.
Dip. Counselling, MBACP; Advanced Dip Creative Hypnotherapy GQHP GHR (Reg)
6 年Thanks Carole, that’s really informative, hope you are well?
Is Your Data Truly Secure? | Passionate Data Protection Leader | Spearheading Business Growth With Ethical Data and AI | Championing Customer Trust Through Robust Privacy Practices | Lets Talk!
6 å¹´Hi Carole. I like your article & generally agree with what you say. There is a lot of scaremongering going on in the market at the moment & it is only getting worse as we approach the 25th May. Mostly used to try and sell various GDPR related services & software solutions. Often not even needed. The only thing I would say is that GDPR is not just targeted at the big companies, but everyone right down to one man & his dog. Yes the larger companies tend to have more personal data that they have collected & therefore a bigger potential problem, but I have worked with many smaller organisations that have NO controls in place. In fact out of all the GDPR assessments I have carried out to date, across a wide variety of sectors & organisational sizes, not one was in a position to effectively demonstrate & prove where required that they had gained the necessary consent, in the right way, in line with GDPR requirements. In the new world of the GDPR being able demonstrate & prove is going to be key. Unlike the outgoing Data Protection Act 1998, which required organisations to create the appropriate privacy & data protection structure within their business (i.e. policies & procedures), but then left it to such organisations to self govern / regulate such practices to their best endeavours, the GDPR now makes such organisations squarely accountable for demonstrating that such a structure is working in practice. Being able to provide live data as proof if an organisation has over 250 employees. In fact, if you look at the enforcement structure within the GDPR you will see that there the large majority of obligations on organisations now relate to being able to both show that they have carried out adequate levels of assessment & due diligence to create an appropriate structure of privacy & data protection practices, & demonstrating that such practices are working effectively in practice. This is something that such organisations are going to have to prove to the ICO (Information Commissioners Office) regardless of whether a data breach has taken place. In fact the ICO is currently going through a huge recruitment programme to increase its levels of staff to be able to better audit organisations to enforce the GDPR. This is the main reason all sizes of organisation are currently going through a number of assessments within their businesses & where they are not 100% confident they can both demonstrate & prove compliance are airing on the side of caution. Hence the increased volume of re-consent request hitting everyone's mailboxes. Cheers, Martin.