GDPR Myth Busting – We need the data subjects permission to process their data

No, you don’t – you must have one of six lawful reasons for processing data set out in the regulations, but not necessarily Consent. This includes:

  • where you are carrying out a Contract with the data subject or are taking steps to enter into a contract, a law firm carrying out conveyancing, or an insurance company getting information to prepare a quote.
  • where a law specifically requires the processing to be done, such as money laundering checks or employee right to work checks.
  • for your own or a third parties, legitimate interests. This is best where you use people’s data in ways they would reasonably expect and has little impact on privacy. For example, it is a legitimate interest for an internet shopping site to have contact details and a delivery address for shoppers.

Find out more

GDPR Myth Busting – Using professionals to deliver marketing services takes away the worry

If you pay a third party to do your marketing, you are both responsible for complying with GDPR and the Privacy & Electronic Communication Regulations.

If the ICO were to take enforcement action, they would usually take it against the ‘instigator‘. If a specialist subcontractor deliberately ignored the rules they might also consider taking action against them.

Whatever the situation it is a legal requirement to have a written GDPR compliant agreement in place, with suppliers that have access to your personal data. It needs to set out your contractor’s responsibilities and if possible, guarantees of compliance.

Find out more

GDPR Myth Buster – It’s all about marketing

No, it’s not.

Personal data is any information relating to an identifiable person who can be directly or indirectly identified.

What identifies an individual could be as simple as a name or a number or could be an IP address or a cookie.

The rules apply to both electronic personal data and to certain manual filing systems.

Processing means doing just about anything with the personal data including collecting, storing and disposing of it.

Employees and job applicants are covered so it can relate to making notes about candidates at a job interview. So don’t write anything that you don’t want the candidate to read as they have a right to make a subject access request.

In relation to marketing, we also have to bear in mind the Privacy and Electronic Communications Regulations which apply when you send electronic marketing messages, by phone, fax, email or text.

Find out more

GDPR Myth Buster – I’ve been in business for years and never had a problem

That’s great news.

The ICO’s like many regulators have an issue-driven enforcement policy.

If there is a significant data breach or numerous complaints then enforcement action may well follow.

If this happens, the ICO will ask how you demonstrate compliance.

If you can’t you will have no excuse and have to face the consequences which more than likely will include reputational damage.

Find out more

Network referrals

When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?

Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions

Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.

Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.

The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consent of the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.

The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.

It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.

Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).

How long does personal data have to be stored under the data protection law?

The short answer is no longer than necessary.

Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:

  • the current and future value of the information;
  • the costs, risks and liabilities associated with retaining the information; and
  • the ease or difficulty of making sure it remains accurate and up to date.

There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.

The CIPD have a great resource regarding HR records which can be found here.

The Data Protection Bill

The UK’s third generation of data protection law has entered Parliament.

The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come. 

The Information Commissioner’s (ICO) website has been updated to include new section about the Data Protection Bill.

This explains the relationship between the Bill and the GDPR, detailing the additional areas the proposed new legislation covers. It also includes links to the ICO’s GDPR and Law Enforcement pages and to a Data Protection Bill fact sheet.

Notification under the Data Protection law

When the General Data Protection Regulations (GDPR) come into effect next year there will no longer be a requirement to notify the Information Commissioner’s Office (ICO) as there is now.

There is a provision in the Digital Economy Act which means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.

The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing. The final fees will be approved by Parliament before being put into place.