If you’ve been caught out by the GDPR and haven’t yet got your ducks in a row, then no need to panic. Here’s a brief guide to getting ready for GDPR.
What is the GDPR?
The GDPR is the General Data Protection Regulation, which is essentially an update to the Data Protection Act.
It improves the definition of data to include anything that can be ‘identifiable’ about an individual, so that includes things such as a computer IP address.
It also strengthens the individual’s data protection rights to view, amend or have their data deleted by a company.
More information is available from the Information Commissioner’s website.
For organisations there are greater responsibilities to limit the collection and processing of data and a stronger emphasis on acting fairly and responsibly.
The good news is, that if you have been practising good data protection principles then there is not a huge amount that you need to do in order to be compliant with GDPR.
It’s also worth noting that the GDPR goes hand in hand with the PECR (Privacy and Electronic Communications Act) which dictates some of the finer points around email and SMS marketing.
The information below take both into account.
Six legal bases for processing data
The GDPR outlines six bases under which you can legally process data. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Do I need to delete my email list for GDPR?
It is likely that each data set you manage for your business will rely on a different legal basis. The information below will help you determine the action you need to take. For individuals the following might be an appropriate response:
Employee records – legal obligation
As an employer you must retain certain information about your employees so that you can contact them about their job, perform payroll and reporting tasks.
Existing customers – contract
It is necessary for you to retain certain data to fulfil the contract that you have entered into. Once the contract is complete you must determine at which point the individual becomes a ‘past customer’ and joins your non-customer list (see below).
Past customers – legitimate interests
Enquirers/non-customers (individuals) – consent
The individual must have willingly opted in to receive communications from you, knowing precisely what they opted in for at the time. Each communication must carry your company details and the option to opt out of further communications.
If these individuals previously opted in to your list in a way which complies with the GDPR there is no need to ask for their consent again, assuming that the relationship is fairly recent.
Enquirers/non-customers (businesses) – legitimate interests/consent
For business-to-business marketing you may rely on legitimate interests as the legal basis for making contact. If you are a training provider, and Mrs S. at Company X has shown an interest in your courses it is fair to assume that she will continue to be interested unless she opts out.
The same legal basis could be used to contact cold prospects – if you feel that your services or products would be relevant to their business you may contact them using legitimate interests as the legal basis for doing so.
Each communication must carry your company details and the option to opt out of further communications.
If however, the business contacts are in fact sole-traders or some partnerships who count as individuals rather than business contacts.
For more information on direct marketing and the GDPR see this guide.
How long can I keep data?
For all data you must determine a reasonable length of time to retain information, and be clear on your data storage, retention and disposal policy.
For each data set you hold you must make a reasoned decision for the length of time you will keep an individual’s data. Unless there are statutory or regulatory reasons it is up to your organisation to decide on a policy for each data set. Document your reasoning and decisions using our guide to GDPR compliance.
Past customers – retained for 12 months in case of returns or exchanges.
Employees – retained for 5 years in case of reference requests.
Enquirers – 24 months unless opted out in the meantime.
For email lists you must decide at which point the individual is unlikely to be still interested in your product or service. If they have not bought from you in 12 or 24 months is it likely that they will still be interested?
It is better to have a smaller contact list of interested people than a larger list of unresponsive individuals.
What else do I need to do?
- Consider whether you are a ‘data processor’ or ‘data controller’
- Conduct a review of what data you collect and hold. Our past post and template may be helpful.
- Review who has access to each data set and limit access if possible.
- Review how data is held and tighten up security if possible via passwords or encryption.
The best resource will always be the Information Commissioner’s website.
Any questions? Contact us for help with GDPR compliance.
Also published on Medium.