GDPR deadline is near
By 25 May companies must be compliant with the General Data Protection Regulation (GDPR) or risk a heavy fine. How ready are you?
According to Andrew Hartshorn from legal firm Shakespeare Martineau, for many businesses it may be too late to be fully compliant by the time the GDPR comes into force, but they can still take strides towards compliance following these practical tips.
Tidy up your marketing database
The law around consent is changing. Consents from customers to receive emails from you will have to be positively given rather than relying on a pre-ticked box. If you want to rely on consent after 25 May, then you need to ensure that the consents have been given in a way that is GDPR-compliant. Consents need a positive act. Requests for consent need to be clearly distinguished, intelligible, using clear and plain language. This is most relevant for marketing databases where, for email marketing, you either need consent or must have sold similar goods and services previously to the individual. The governmental watchdog, the Information Commissioner’s Office (ICO), has been clamping down on unsolicited emails and will continue to do so under the new regime.
Don’t think the IOC is only monitoring large concerns. Under the current regime it recently issued fines of £70,000 for deliberately sending unsolicited emails and one of £13,000 for unintentionally sending out marketing emails. Under the new regime, expect fines to be larger.
Understand where you send personal data The GDPR, like the current Data Protection Act (DPA), requires personal data to be treated with care and only used in appropriate ways. Businesses cannot pass personal data onto third parties when they like. They must ensure that they are justified in passing the data on to third parties and ensure that the contracts with these third parties protect businesses.
Review your security arrangements
The GDPR requires businesses to have appropriate security to ensure that personal data is not lost or inappropriately accessed. Check both your IT and physical security policies to make sure that data is locked away securely. Make sure that staff understand their responsibilities here.
Get your privacy statements right
You must provide individuals with a detailed and prescribed fair collection notice when you first collect their data. This is an easy thing to get right and doing this will mean that people understand how you are using their data, but you need a thorough understanding of the data you process.
Treat data with care
Ultimately, the GDPR is about treating people and their personal information fairly and with due recognition of their reasonable expectations of privacy. If you only collect the data you need, use it when you must and get rid of it when you can, then you are half way to compliance. See more information on GDPR at shma.co.uk.