Well, it is nearly upon us. On May 25th 2018, GDPR will apply to every business in the UK. And every business not in the UK if they are processing data about people IN the EU. Will we still need to comply with this bearing in mind Brexit? In all probability. Yes, we won’t be subject to EU law, but it is likely this particular piece of legislation will be just as relevant in the UK after Brexit as it will be from May 25th.
There is a lot of talking about GDPR, and a lot of scaremongering. Let’s get really clear on something.
If you were already respecting people’s privacy, not spamming them, being really clear on what people are opting in for and keeping your data safe – then nothing will change for you. This is not a whole load of unnecessary legislation created to annoy or inconvenience small business owners.
This is legislation to stop repeats of Facebook/Cambridge Analytica (before they even knew about that). It is aimed at Big Data really – although it clearly covers everyone. But it is nothing to panic about.
If one person on someone’s list complains about being emailed, but having said that, they have been emailed every week for the last 6 months, then the data protection people will just politely suggest they unsubscribe – which you have given them every opportunity to do every time you email them right?
So why are all the big companies dropping into your email box asking you to actively subscribe and should you do the same?
Short answer – NO you shouldn’t (if you have done everything right up to now). Longer answer – if you have been in the habit of gaining peoples emails without their consent, or when they thought they were opting in for something else, or because the ‘opt in’ boxes were already ticked, or because the person was really confused by all the long-winded jargon and didn’t KNOW they had opted it – then YES you should email them and gain their consent.
Because THIS is what a lot of big companies did, or they bought data they can’t know be certain was properly opted in. They are not really sure about their data and therefore they can’t risk NOT sending those emails.
But if YOUR list is totally aware of who you are, and that you email them your blog every week, and have been doing for years, and there is always an unsubscribe button, then personally – I think you’re fine. Of course, I am not a lawyer and this shouldn’t be taken as legal advice. Look into it yourself, but just use your common sense.
Those companies who ARE now feeling the need to ask their lists to opt-in (because they didn’t do that in the first place), are finding the opt-in rate averaging 2 %. You have been warned!
OK – so let’s look at some of the things you do NEED to be aware of.
- You have to ensure consent is explicit, rather than implicit. Silence, pre-ticked boxes, or inactivity may thus not constitute valid consent. Check all your landing pages / opt-in emails to make sure there are clear and people know what they are opting in for.
- Everyone has the right to be ‘forgotten’ which means if they ask, you have to delete all data you hold about someone.
- Parental consent is required when offering information services directly to a child under the age of 16. Member States may choose to lower the age level to 13.
- There is nothing global in GDPR about data held for HR purpose – each member state can specify their own rules. So, if you have staff watch this space for news on how you can process their data.
- You probably don’t need a data protection officer under 250 staff.
- If you become aware of a data breach you must notify the individuals concerned and the DPA within 72 hours at the latest. Unless there is no risk to the individual in which case you can choose not to – but you must keep a record of this and of your reasons, and be prepared to justify it.
- You cannot charge someone for requesting their data, you must now provide that free of charge.
- Now would be a good time to review your security arrangements – password protection, encryption, firewalls, anti virus, storage and make sure they are up to scratch.
- As a business of fewer than 250 employees, you do not need to create processing records except if there could be a risk to the rights and freedoms of data subjects, or you are processing any ‘special categories’ of data (like health, sexual orientation and so on) or about criminal convictions. But you must know the data you are holding and why you are holding it.
If any of that boggles your mind then contact your lawyer for clarification, it’s important to get this right, but equally important not to panic.