In this blog post, I’ll tell you how to take simple steps towards compliance with the General Data Protection Regulation (GDPR). Everything you have read may be misleading, and you could be jumping to all kinds of incorrect conclusions because, and here’s the problem, there is no right answer.
Important note: Seek your own legal advice before making your own decisions. This post quotes official information from the Information Commissioner.
I read as much as there is to read about GDPR on the Information Commissioner’s website, but there were some unanswered questions, so I contacted the ICO to ask for more explanation and was told, “It’s all on the website.”
The problem with GDPR, as with the Privacy and Electronic Communications Regulations (PECR), is that the enforcement authority, the ICO, doesn’t give advice on specific things. It can’t tell you how to design a subscription form or how to store your data. The ICO’s job is like any legal authority – it can tell you what the law says, and it can adjudicate whether you have done anything wrong, but it can’t tell you how to live.
GDPR confusion about marketing consent
The biggest misunderstanding that most marketers have about GDPR is around consent for marketing. Here’s the big thing – GDPR is not about marketing communications, it is about data protection.
Forget, for a moment, what anyone has told you about the need to gather marketing permissions from people before the 25 May deadline. The clue is in the name – General Data Protection Regulation. The new law replaces previous data protection legislation, and it exists to oversee how data is processed.
If you want to talk about marketing permissions, you need to be talking about the Privacy and Electronic Communications Regulations, which cover permissions for communications and marketing messages. The PECR legislation is currently being updated, and this law includes the so-called Cookie Law, which is about to be radically changed.
- GDPR covers data protection.
- PECR covers data privacy.
So, why have we been told to ask for new permissions from the people on our mailing lists?
If you have been told to email all your customers, asking them to opt in again to your mailing list, it is important to remember that, if you are doing this for GDPR reasons, you are asking for permission to process their data, not to market to them.
If they are giving consent to be added to your mailing list, they are effectively giving permission for you to keep them on a list where they receive newsletters, but the permission is for you to process their data for that purpose. The distinction is important, I think.
Permission to market falls under the purview of PECR, and that law hasn’t yet changed. Arguably, if you already have someone’s permission legally, you don’t need to ask for it again, but it’s good business practice to clean up your data and find out if you have a valid right to hold (and process) their information.
The quick steps to understanding GDPR and compliance
There is no right answer for all situations. The ICO advises that the GDPR applies to controllers and processors. If you hold a list of your own customers, you are a controller. If a supplier hosts that list on your behalf, or if you use a third party supplier to send newsletters, those suppliers are processors.
As a controller or a processor, you are duty bound to protect the personal data you hold. This data is not only your customer list or your mailing list, it is also the personal information about your employees, your suppliers, or even people who contact your company to apply for a job.
1. Decide if you are a controller or a processor
GDPR relates to personal data – something that relates to an individual. Audit all personal data you handle and decide whether you are the controller of that data and whether you are processing it on behalf of someone else.
Bear in mind that all data counts – not just electronic. How you store paper records is as important as where you host your mailing list.
2. Make sure you can respect individuals’ rights
GDPR introduces more powers to individuals over how their personal information is processed, and whether it can be processed in the first place. Before you think about your right to process the data, you should think about whether you comply with these rights.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
If an individual contacts your company and asks you to inform them what data you hold about them and how you are using it, you need to be able to tell them. That individual can ask for incorrect things to be corrected, but they can also ask for deletion or for you to stop processing data.
This is all subject to your lawful basis for processing data (see below). You may have a legitimate reason to not delete someone’s data, even if they demand it. For example, imagine someone asks you to stop emailing them, and to delete them completely from your systems. How do you add them to a suppression list to prevent them being erroneously added to a list in future, if you don’t keep their records on file somewhere?
3. Decide on your lawful basis for processing
This is the nutshell for deciding whether you can hold data and what you can do with it. There are several reasons for processing data, and it’s up to the business to decide whether it is lawfully processing data.
- Consent: The ICO says, “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”
- Contract: The ICO says, “You can rely on this lawful basis if you need to process someone’s personal data to fulfill your contractual obligations to them or because they have asked you to do something before entering into a contract (e.g. provide a quote). The processing must be necessary for this basis to be valid. You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.”
- Legal obligation: “You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation (not contractual obligations). You should be able to identify the legal provision or a source of advice or guidance that clearly sets out your obligation.”
- Vital interests: “This could apply if you need to process the personal data to protect someone’s life. You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.”
- Public task: “This basis can apply if you need to process personal data ‘in the exercise of official authority’. It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.”
- Legitimate interest: “Legitimate interest is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you choose to rely on legitimate interest, you are taking on extra responsibility for considering and protecting people’s rights and interests.”
There are also special category data types and criminal offence data to take into account, which carry further requirements.
The ICO also says you should document your decision to rely on your chosen lawful basis and ensure that you can justify your reasoning. This could be documented in your company’s data processing policy, which the company’s data controller (or data protection officer, if needed), should share with all processors.
Does GDPR come with big financial penalties?
Yes and no. The Information Commissioner, Elizabeth Denham, has said, “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
Companies that breach the GDPR could be fined huge sums, but these breaches would have to be serious, and they would come after investigation by the ICO.
One thing the ICO has told me personally in the past is to treat each individual the way you would want to be treated. If they communicate with you, treat them fairly and respect their wishes as much as you can. If you do all you can to behave reasonably, and you are doing what you believe to be right, that’s a good start.