25th May 2018. It’s ingrained into your brain and it’s ingrained into mine, and for good reason too.
The General Data Protection Regulation (GDPR) is just over a week away now and while preparations are in full swing, we thought we’d round up some of the myths surround GDPR and do some myth-busting!
- GDPR doesn’t apply to me.
You might not be located in the EU or even trade within the EU very often. However, you must comply with GDPR if you process the personal data of EU citizens or residents.
This means if they purchase your product or subscribe to promotional offers – any area where customers from the EU interact with your business requires GDPR compliance.
- GDPR is just a scare tactic – nobody will get fined.
I think you might be in for an expensive shock by preparing for GDPR with this mindset. One constant thing that has been made clear, are the large fines. There are two levels of fines, the first level is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
Let’s put this into perspective, a recent data breach due to security failings by TalkTalk cost them £400,000. Under GDPR, this would rocket to an eye-watering £59 million – a huge chunk of their turnover.
- You must delete all of someone’s data, if that’s what they want.
A key change with GDPR is the right to be forgotten. Yes, this may imply that this means they must be deleted but another complicating factor is the requirement to be accountable. So balancing these instances means you can’t just delete the person – how do you have evidence that you have deleted them? You need to show the journey from the request to evidence of the erasure in order to comply with GDPR.
But how can you delete someone, but keep the evidence?
So we have thought long and hard about this and in our systems, we have in place a new solution that encrypts personal data into a unique identifier code – for example the email address of the individual. The encryption is one way – you cannot work back using the new code in order to obtain the email address, but if the person re-registers, there will be a flag to say that this person has previously requested to be forgotten as their email will match with the encrypted code.
This way, no personal data is held or shown in the CRM system – but the right to be forgotten record has been recorded with time and date and a secure, GDPR compliant identifier.
- I’ll just try and obtain consent and if people don’t reply or opt out, I’ll contact them using legitimate interest.
No you won’t. That’ll land you in hot water pretty quickly. You can’t ask for consent and then go down the legitimate interest route, or that would be too easy! You need to carefully choose which basis you are contacting people on. Consent is by far the best route and you’ll be a lot safer using this basis, however there are times when it is under a person’s best interest to be contacted.
Now, there hasn’t been final guidance on legitimate interest yet but the ICO have issued some help. For example, there are three elements to the legitimate interest basis, you need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
The process also needs to be necessary. If you can reasonably achieve the same result in another, less intrusive way, legitimate interest will not apply.
- I’ve gained consent over the years, so I’m not doing anything.
If you’ve gained consent in a GDPR compliant way and it’s recorded then great, you really are prepared!
If you need refreshing on what is compliant then keep reading…
Key needs for consent:
Don’t use pre-ticked boxes – the person has to opt-in and not opt-out of a default pre-ticked box.
Make your consent statement clear, simple and easy to understand. The individual should not be confused as to what they are consenting to and nor should they have to read through lengthy statements with complicated legal speak.
Pairing together your consent tick box with the terms and conditions is not GDPR compliant. An individual should not have to receive communications in order to agree to terms and conditions. Make them separate.
Do you have three newsletters? Do you have quarterly emails sent out with special offers? You need to separate which communications the individual would like to receive and don’t blanket the consent with one statement. GDPR is all about the choice.
Third party controllers
Do you sell any of your data or pass it to any other companies to use? You must name all the third parties that rely on the data and information. If you have 400 third parties, then yes you need to list them!
Easy to withdraw
Inform individuals how to withdraw and ensure the process is as simple as possible.
Everything needs to be well documented and recorded – even down to the consent statement you used. Who, what, when, where, how – keep it on file.
So there are five myths of GDPR busted. We aren’t lawyers though so this article should not be relied upon for legal purposes. The ICO has a wealth of information you can rely upon though. Check out their website here.
Oh and that solution that manages your consent records? Check it out here.