GDPR IS NEARLY HERE, IT’S TIME TO PROPERLY PANIC
THE GDPR TRAIN IS ALMOST HERE. CALLING AT TERROR TOWN AND PANIC CENTRAL. IF YOU WANTED ANOTHER “ULTIMATE LIST OF WAYS GDPR WILL RUIN YOUR LIFE” THEN THIS AIN’T FOR YOU. IF YOU WANTED A “CALM DOWN DEAR, IT’S ONLY A BIT OF LEGISLATION”, THEN PULL UP A CHAIR.
here is no denying it, GDPR is a serious bit of legislation. This post recognises that but chooses to discuss it in a lighter tone. I’ve taken this route simply because during my research for writing this post I was overwhelmingly aware of how much panic is out there. I mean, like, eye-watering, blanket-tearing, pillow-biting pure terror.
If you’re a company with a gazillion customer databases and collection processes whose entire model relies on the capture of EU citizen personal data and retention, then, yes, you’ve got a bit of work to do. Otherwise, you may well find that a small pinch of common sense and a sit down with your marketing, IT and sales teams will do.
What GDPR is and isn’t
It’s not about the massive fines. Sections of the fear-mongering press might want you to think that, but it’s not. It’s about asking companies to step up and take responsibility for how they collect peoples’ data and then store it and process it. Rather than how it is at the moment, which is largely just “nodding dogs” saying “yes, we collect and store data most excellently”.
Also, GDPR is not going to set about making an example of the local plumber because he is emailing a sales pamphlet to an address list he got off “dodgy barry” in the local pub. They will not descend upon him and make him the last of his name, nor will they end his house and send his family wailing into the cold night. The Information Commissioner’s Office (ICO, who will oversee GDPR) have always preferred to bring offenders into line with education and assistance rather than whip them into submission. As their blog points out,
This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. – ICO Blog by Elizabeth Denham, Information Commissioner.
If my business is small or earns under £x, then I’m free as a bird, right?
No, no you’re not. Take a look at the list of cases where they have taken enforcement action. It’s the breadth of the types of organisations that came under their gaze that made me look twice. Local government, the Police (crimefighters, not pop group), political groups, and even charities, all paid the price for dodgy data protection. The point here is that any organisation, even if it’s not legally recognised, is required to be compliant. Your local pub football team? Yep. A one-man band? Yep. All of the above.
For the marketers in the house. You still have a job. Yay.
Don’t let the barrage of “we need to reconfirm your consent…” emails that you’re getting confuse you. Wipe that sweat from your brow, sending people marketing emails is still legal. Plus there is a bonus; if you collected their details in a manner consistent with GDPR in the first place then you’re golden. It’s about specific consent. If they ticked a box (pre-ticked doesn’t cut it) that specifically said they wanted to receive marketing emails from you, it’s all good. If you didn’t then you may need to ask them again.
Offering free e-books, contact us forms, and other “assumed consent” methods are out. Likewise just because a customer bought something from you doesn’t mean you can badger them with offers twice a week for the next twenty years. You can send them transactional emails, but that’s it.
Think about where you got your list from in the first place. If it contains even a portion of “scraped” addresses (business cards, yellow pages, found them stuck to your shoe) and you can’t isolate them out, you’ll have to get consent afresh.
I need a data protection officer now, right?
Stand down, soldier, step away from the employment website. Some of the big boys will need to make that hire, but they probably had one anyway. Scale and type of data are important factors to GDPR and those that make their living out of large-scale data or sensitive personal data need to make sure a specific person is responsible. While we’re on the subject of DGPR myths,
- Consent must be “Explicit” when processing personal data. Nope, consent must be “unambiguous”. Keep wordings clear and easy to understand and you’ll be fine.
- People can ask you to delete all the data you hold on them, and you HAVE to do it. Not so, the “right of erasure” means that if the data remains necessary for the reasons it was originally collected and you still have a legal reason to process the data then you can turn down their request. If they ask to opt-out of communications though, you’ve got to do that.
- If you collect data from children, you need the parent’s consent. Wrong! If the data processing you’re doing is based on other lawful processing reasons (a legal obligation, vital interest or even reasonable interests) then parental consent is not required.
So I can just totally ignore GDPR, that’s what you’re saying, isn’t it?
No! You need to read and understand the whole shebang, but just do that without panic in your eyes. Basically, tell people why you want their data before collecting it and make them opt-in to communications. Keep that data safe, only process it under particular conditions, don’t transfer it to anyone else without consent, and ensure the data remains relevant to the reason it was originally collected.
See? Easy. You’re welcome.