In this blog post, I’ll tell you how to take simple steps towards compliance with the General Data Protection Regulation (GDPR). Everything you have read may be misleading, and you could be jumping to all kinds of incorrect conclusions because, and here’s the problem, there is no right answer.
Important note: Seek your own legal advice before making your own decisions. This post quotes official information from the Information Commissioner.
I read as much as there is to read about GDPR on the Information Commissioner’s website, but there were some unanswered questions, so I contacted the ICO to ask for more explanation and was told, “It’s all on the website.”
The problem with GDPR, as with the Privacy and Electronic Communications Regulations (PECR), is that the enforcement authority, the ICO, doesn’t give advice on specific things. It can’t tell you how to design a subscription form or how to store your data. The ICO’s job is like any legal authority – it can tell you what the law says, and it can adjudicate whether you have done anything wrong, but it can’t tell you how to live.
The biggest misunderstanding that most marketers have about GDPR is around consent for marketing. Here’s the big thing – GDPR is not about marketing communications, it is about data protection.
Forget, for a moment, what anyone has told you about the need to gather marketing permissions from people before the 25 May deadline. The clue is in the name – General Data Protection Regulation. The new law replaces previous data protection legislation, and it exists to oversee how data is processed.
If you want to talk about marketing permissions, you need to be talking about the Privacy and Electronic Communications Regulations, which cover permissions for communications and marketing messages. The PECR legislation is currently being updated, and this law includes the so-called Cookie Law, which is about to be radically changed.
So, why have we been told to ask for new permissions from the people on our mailing lists?
If you have been told to email all your customers, asking them to opt in again to your mailing list, it is important to remember that, if you are doing this for GDPR reasons, you are asking for permission to process their data, not to market to them.
If they are giving consent to be added to your mailing list, they are effectively giving permission for you to keep them on a list where they receive newsletters, but the permission is for you to process their data for that purpose. The distinction is important, I think.
Permission to market falls under the purview of PECR, and that law hasn’t yet changed. Arguably, if you already have someone’s permission legally, you don’t need to ask for it again, but it’s good business practice to clean up your data and find out if you have a valid right to hold (and process) their information.
There is no right answer for all situations. The ICO advises that the GDPR applies to controllers and processors. If you hold a list of your own customers, you are a controller. If a supplier hosts that list on your behalf, or if you use a third party supplier to send newsletters, those suppliers are processors.
As a controller or a processor, you are duty bound to protect the personal data you hold. This data is not only your customer list or your mailing list, it is also the personal information about your employees, your suppliers, or even people who contact your company to apply for a job.
GDPR relates to personal data – something that relates to an individual. Audit all personal data you handle and decide whether you are the controller of that data and whether you are processing it on behalf of someone else.
Bear in mind that all data counts – not just electronic. How you store paper records is as important as where you host your mailing list.
GDPR introduces more powers to individuals over how their personal information is processed, and whether it can be processed in the first place. Before you think about your right to process the data, you should think about whether you comply with these rights.
If an individual contacts your company and asks you to inform them what data you hold about them and how you are using it, you need to be able to tell them. That individual can ask for incorrect things to be corrected, but they can also ask for deletion or for you to stop processing data.
This is all subject to your lawful basis for processing data (see below). You may have a legitimate reason to not delete someone’s data, even if they demand it. For example, imagine someone asks you to stop emailing them, and to delete them completely from your systems. How do you add them to a suppression list to prevent them being erroneously added to a list in future, if you don’t keep their records on file somewhere?
This is the nutshell for deciding whether you can hold data and what you can do with it. There are several reasons for processing data, and it’s up to the business to decide whether it is lawfully processing data.
There are also special category data types and criminal offence data to take into account, which carry further requirements.
The ICO also says you should document your decision to rely on your chosen lawful basis and ensure that you can justify your reasoning. This could be documented in your company’s data processing policy, which the company’s data controller (or data protection officer, if needed), should share with all processors.
Yes and no. The Information Commissioner, Elizabeth Denham, has said, “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
Companies that breach the GDPR could be fined huge sums, but these breaches would have to be serious, and they would come after investigation by the ICO.
One thing the ICO has told me personally in the past is to treat each individual the way you would want to be treated. If they communicate with you, treat them fairly and respect their wishes as much as you can. If you do all you can to behave reasonably, and you are doing what you believe to be right, that’s a good start.
Steve (RIP) was Services Director for Vertical Leap. He started professional life as a magazine journalist, working on music magazines and women's titles before becoming a web editor in 1997, then joining MSN to work purely in online publishing. Since 1999 he has worked for and consulted to a broad range of businesses about their digital marketing.
Categories: Content Marketing
Categories: CRO, Social Media
If your digital campaigns are underperforming, our commitment-free health check will reveal powerful insights to help you improve performance.