GDPR (the General Data Protection Regulation) is the latest legislation in the area of data protection and promises to be the biggest shake up to European privacy laws in over twenty years. It will apply in all European Member States (including the United Kingdom) from 25 May, 2018.
Brexit will have minimal impact in this area as the UK government is planning to introduce its own data protection legislation which, for the most part, mirrors GDPR. GDPR strengthens individual’s rights and places strict and comprehensive compliance requirements on organisations that process personal data, introducing huge fines for those that do not comply. Understanding how, when, and why you are collecting personal information is important and should be the first step that all organisations take in assessing GDPR compliance.
Does it apply to my Business?
GDPR applies to any ‘data controller’ trading in any EU Member State that ‘processes’ (i.e. collects, manages, stores or uses) ‘personal data’ (i.e. any information relating to an identified or identifiable natural person). Organisations are legally obliged to properly protect personal data. If you are currently subject to the Data Protection Act 1998 it is highly likely that you will be subject to GDPR.
Entrepreneurs, start-up companies and those who are already established in their marketplace will almost certainly be affected by the changes introduced. GDPR does not discriminate by business type and sets high standards for the protection of personal data. Organisations need to take responsibility for ensuring they comply and, crucially, showing how they comply.
Marketing
Start-ups require getting maximum return for their investment from marketing, and many will rely on e-mail shots to their database. This involves data processing, so you must have a legal basis for it. You need to identify a lawful basis for processing eg. ‘consent’ i.e. the person you are sending the marketing material to has agreed that they wish to receive it prior to carrying out any processing.
The GDPR considerably tightens up the requirements around gaining consent. Consent must be “freely given, specific, informed, and unambiguous” and expressed through a “clear affirmative action”. You must keep records of the consent obtained.
An example of a “clear affirmative action” includes opting-in by ticking a box on your website. Opt-outs and pre-ticked boxes are a thing of the past. The wording next to your box must make it clear what the individual is signing up to e.g. to receive a weekly update. You should give granular options to consent for different types of processing wherever appropriate e.g. separate out email, paper mail, text messages, etc. It is envisaged that under GDPR individuals will need to be given several tick box options as each needs to be “specific”.
Also, it must be easy for people to withdraw their consent at any time. You need to explain clearly how to do this and have a simple and effective withdrawal mechanism in place.
Existing Marketing Databases
If your existing database was not gathered following GDPR requirements then it is likely that it cannot be used post 25 May, 2018. There are two schools of thought about existing marketing databases: (1) contact your database now asking them to update their preferences and to opt-in again, with individuals who do not opt in automatically being removed; or (2) delete it all and start again. Whilst daunting, the second option may give you more peace of mind.
Securing compliant consent is crucial. Once you have it you then need to ensure that it is kept up to date and regularly reviewed.
Stephen Grant is a solicitor at Wright, Johnston & Mackenzie LLP. Wright, Johnston & Mackenzie is a full-service, independent Scottish law firm, with a history stretching back over 160 years, operating from offices in Glasgow, Edinburgh, Inverness and Dunblane. Further information on WJM can be found at www.wjm.co.uk
