Blog – Reputation Matters

GDPR Myth Buster – It’s all about marketing

No, it’s not.

Personal data is any information relating to an identifiable person who can be directly or indirectly identified.

What identifies an individual could be as simple as a name or a number or could be an IP address or a cookie.

The rules apply to both electronic personal data and to certain manual filing systems.

Processing means doing just about anything with the personal data including collecting, storing and disposing of it.

Employees and job applicants are covered so it can relate to making notes about candidates at a job interview. So don’t write anything that you don’t want the candidate to read as they have a right to make a subject access request.

In relation to marketing, we also have to bear in mind the Privacy and Electronic Communications Regulations which apply when you send electronic marketing messages, by phone, fax, email or text.

Find out more

GDPR Myth Buster – I’ve been in business for years and never had a problem

That’s great news.

The ICO’s like many regulators have an issue-driven enforcement policy.

If there is a significant data breach or numerous complaints then enforcement action may well follow.

If this happens, the ICO will ask how you demonstrate compliance.

If you can’t you will have no excuse and have to face the consequences which more than likely will include reputational damage.

Find out more

Do we have to have a Data Protection Policy?

There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR).  However, there are some areas where such a document could prove useful.

Documentation

The GDPR contains explicit provisions about documenting your processing activities:

  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • Documentation can help you comply with other aspects of the GDPR and improve your data governance.
  • For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.

Transparency

In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:

  • your purposes for processing their personal data,
  • your retention periods for that personal data, and
  • who it will be shared with

This is called ‘privacy information’. (Some businesses give this information in a “Privacy Policy” found on many websites.)

You must provide privacy information to individuals at the time you collect their personal data from them.

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

Using Data Processors

As well as imposing a legal obligation on data controllers (the owner of the data), to formalise their working relationship with data processors in a written contract, they are also responsible for assessing that the processor is competent to process personal data in line with the GDPR’s requirements. Part of this process is to ask to see relevant documentation, such as their privacy policy, record management policy and information security policy.

Respond to regulatory regimes

The regulators’ purpose is to ensure there is a level playing field and protect the weaker party in any transaction (which is usually the client/customer).

If a regulator has cause to investigate a business, they will try to demonstrate insufficient control over business processes.

It makes sense to be in a position to show that you have done everything possible to comply and that you carry out checks to make sure that your procedures work.

That way the regulator will be more likely to help resolve compliance failures, rather than take enforcement action which can prove costly for a business.

Network referrals

When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?

Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions

Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.

Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.

The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consent of the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.

The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.

It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.

Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).