GDPR (or the General Data Protection Regulation to give it its full title) is the latest legislation in the area of data protection. It promises to be the biggest shake up to European privacy laws in over twenty years and it will apply in all European Member States (including the United Kingdom) from 25 May, 2018. Brexit will have minimal impact in this area as the UK government is planning to introduce its own data protection legislation which, for the most part, mirrors GDPR. GDPR strengthens individual’s rights and places strict and comprehensive compliance requirements on organisations that process personal data and introduces huge fines for those that do not comply. Understanding how, when, and why you are collecting personal information is important and should be the first step that all organisations take in assessing GDPR compliance.
Does it Apply to my Business?
GDPR applies to any ‘data controller’ trading in any EU Member State that ‘processes’ (i.e. collects, manages, stores or uses) ‘personal data’ (i.e. any information relating to an identified or identifiable natural person). Organisations are legally obliged to properly protect personal data. If you are currently subject to the Data Protection Act 1998 it is highly likely that you will also be subject to GDPR.
Entrepreneurs, start-up companies and those who are already established in their marketplace will almost certainly be affected by the changes introduced by GDPR. GDPR does not discriminate by business type and sets high standards across the board for the protection of personal data. Organisations will need to take responsibility for ensuring they comply and crucially be able to show how they comply. With less than six months to prepare the time to take action is now.
Marketing
One area where start-ups will need to give attention is their marketing activities. Start-ups require getting maximum return for their investment in terms of their marketing, and when budgets are tight many will rely on mail-shots to their email database as a low cost form of advertising. A mail-shot involves data processing, and when your organisation is doing that it is imperative that you have a legal basis for doing so. You need to identify a lawful basis for processing before you can do that. One of the most commonly used legal basis is ‘consent’ i.e. the person you are sending the marketing material to has agreed that they wish to receive such material.
The GDPR considerably tightens up the requirements around gaining consent. Consent must be “freely given, specific, informed, and unambiguous” and expressed through a “clear affirmative action”. Further, you must keep records of the consent obtained.
An example of a “clear affirmative action” includes a customer opting-in by ticking a box on your website. Opt-outs and pre-ticked boxes are a thing of the past. The wording next to your box must make it clear what the individual is signing up to e.g. to receive a weekly update on your products. You should give granular options to consent for different types of processing wherever appropriate e.g. separate out email, paper mail, text messages, etc. It is envisaged that under GDPR individuals will need to be given several tick box options as each needs to be “specific”.
It should also be easy for people to withdraw their consent. Tell people they have the right to withdraw their consent at any time, and explain clearly how to do this. You will need to have a simple and effective withdrawal mechanism in place.
Existing Marketing Databases
If your existing database was not gathered following GDPR requirements then it is likely that it cannot be used post 25 May, 2018. There are two main schools of thought in relation to existing marketing databases: (1) contact your database now asking them to update their preferences and to opt-in again, with individuals who do not opt in automatically being removed; or (2) delete it all and start again. Whilst daunting, the second option may give you more peace of mind. Wetherspoons recently deleted its entire marketing database to ensure that it complies with the GDPR standard going forward.
Securing compliant consent is crucial. Once you have it you then need to ensure that it is kept up to date and regularly reviewed.
Stephen Grant is a solicitor at Wright, Johnston & Mackenzie LLP.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here