GDPR: 3 practical questions facing businesses like yours
In just a few months—on May 25th—compliance with the General Data Protection Regulation (GDPR) becomes mandatory. The biggest change to data protection law for a generation, it imposes vastly stricter data protection requirements on businesses, and a far tougher penalty regime.
By now, there can be few businesses that don’t know this. Reminders are everywhere, and it is hoped that most are well advanced with their compliance plans. The debate has moved on from “What is the General Data Protection Regulation?” to “How exactly do we comply with it?”
But as businesses ask that question, and work through their compliance process, practical problems can arise. And here at The Legal Director, we’re noticing that many of our clients are asking us the same questions about those problems.
So here—right from the front lines of General Data Protection Regulation compliance—are three of the most commonly-asked questions that we hear, along with the guidance that we usually provide.
1) "Direct marketing counts as a ‘legitimate interest’, right?”
Wrong. A lot of marketing departments seem to have latched on to the Regulation’s mention, in section 47, of the fact that direct marketing is a legitimate use of personal information.
And that’s true, as the UK’s Information Commissioner’s Office has affirmed.
But that doesn’t mean that the use of personal information for direct marketing by electronic means can necessarily be regarded as unregulated, as some marketing departments also seem to think. Instead, it means that such use is already governed by existing laws—notably the Privacy and Electronic Communication Regulations 2003—and that compliance with those laws is already a requirement and this will remain the case after the GDPR is in force.
Meaning that businesses can only carry out unsolicited electronic marketing to individuals (which includes sole traders and some partnerships in your datasets) if the person who they are targeting has already provided their permission for this—or, exceptionally, if so-called ‘soft opt-in’ conditions are met. There is also not a continued free for all on marketing to your commercial contacts as you should supply a privacy notice to explain that you are relying on having a legitimate interest as well as the ubiquitous unsubscribe method.
Further, the business needs to think carefully about how it engages with those whose details have come to the business by delegate lists, attending trade fairs, passing business cards and the like. Add to the mix that this is set to change when the new privacy regulations (e-PR) come into force as commercial contacts will then have to be managed under the same regime as individual contacts.
With the burden of proof regarding these ‘soft opt-in’ conditions and capture of GDPR consent being on the business carrying out the marketing campaign, everyone’s expectation to have the power of “opt in” and the new e-PR on the horizon , our view is that each business with a mixed data set (business and individuals) needs to make a business decision now – do you play it safe and only send direct marketing material on the grounds of consent OR ride the legitimate interests wave for business contacts while it’s here?
2) What exactly does the ‘right to be forgotten’ entail? Just which data must we erase?"
This is a question that has been causing some IT departments to have sleepless nights. Understandably, IT systems don’t take kindly to having invoice records and other transaction-related documents erased, just because a consumer doesn’t want any further marketing messages, or feels that their data has been misused.
The good news: businesses can relax—up to a point.
First, erasure will generally only be an issue if personal data has been used incorrectly or unlawfully. Use it properly and appropriately and data subjects won’t feel the need to ask you to erase any data or if they do you can resist the request as the processing is in line with GDPR and your policies.
So if your business’s data retention policy says you will retain the specific data for 7 years make sure you do just that as after this period you are processing it unlawfully. This gives you some time to make sure you have data ecomaps of where data is in your systems and have worked through anonymization or deletion processes to manage your own retention policy to the letter.
3) "After May 25th we can relax, right?”
Wrong, again. As the Information Commissioner’s Office put it, the General Data Protection Regulation isn’t like the issue of ‘Y2K Millennium Bug’, which focused attention on how computer systems handled the transition from December 31st 1999 to January 1st 2000.
Once January 1st 2000 had happened, businesses could relax. Not so with the General Data Protection Regulation: compliance is an ongoing requirement.
So the need for compliance will have to be built into every marketing campaign, and every project. And businesses will be expected to continue to identify and address any emerging privacy and security risks in the weeks, months and years beyond May 25th.
The General Data Protection Regulation, in short, will have to become another aspect of how business is done, as with any other ongoing regulatory requirement.
GDPR: the bottom line
It’s fair to say that the General Data Protection Regulation has come as something of a shock to quite a number of businesses. Certainly, it’s no simple ‘box ticking’ exercise. It’s a real legal requirement, backed up by real regulatory teeth.
That said, as the Information Commissioner herself has pointed out, it’s also an opportunity to put good data protection practices in place right across the organisation—practices that will make your business more secure, and which will reduce the reputational risks that it faces from a data security breach.
In other words, there’s considerable merit in not just complying with the General Data Protection Regulation, but complying with it properly, and robustly, and with systems and procedures that are truly fit for purpose.
Are yours truly fit for purpose? If you’re not sure, we can help. To find out how, pick up the phone, or email firstname.lastname@example.org
Posted Thursday, March 1st, 2018 by Warren RylandTweet
Other Articles In This Category
- IR35 and the private sector: are changes on the way?
As the government considers extending to the private sector its public sector reforms of the rules relating to the engagement of contractors through so-called... read more
22nd of March 2018 by Warren Ryland
- I'd like to work from home, says an employee. Now what?
Conversations about employees working from home were once very short. In those rare instances where employees did venture to enquire about the possibility, the... read more
8th of January 2018 by Warren Ryland
- Is a domain squatter set to steal your brand?
It’s fair to say that many businesses are unprepared for the new .uk Internet domain - which is unfortunate, as from June 2019, they could find that their... read more
5th of December 2017 by Warren Ryland
- Did you negotiate your last loan agreement - or just sign on the dotted line?
For businesses wanting to grow or invest, external finance can be an attractive option: access to the funds that they need, without equity dilution or... read more
2nd of November 2017 by Warren Ryland
- Protecting the value of your newly-acquired businesses can be a challenge
Buying a business is exhilarating. Hard work, to be sure - but undeniably exciting, and with a rich sense of the opportunities that lie ahead. So perhaps... read more
2nd of October 2017 by Warren Ryland
- GDPR. The clock is ticking: a tough new take on data protection is fast approaching
With effect from 25 May 2018—in other words, less than a year away—your business is exposed to a new regulatory regime backed by hefty fines. And by... read more
6th of September 2017 by Warren Ryland
- Persons of Significant Control: important changes to reporting requirements
It’s barely a year since the introduction of the PSC regime - and already, the compliance requirement has been tightened. And at a time when many businesses... read more
23rd of June 2017 by Warren Ryland
- Avoiding conflict when forming a business: probing questions for potential partners
Every year, several hundred thousand new businesses are created. In 2015, according to the Office for National Statistics, the total was 383,000—the highest... read more
28th of April 2017 by Warren Ryland
- Is your business at risk from the Uber decision? Why your self-employed contractors could really be employees
Fuelled by companies such as ride-hailing business Uber and personal courier firm Deliveroo, the so-called ‘gig economy’ is on the rise. So much so,... read more
12th of January 2017 by Warren Ryland
- The Legal Director - Commended for Innovation in the FT Innovative European Lawyers awards
Law firm The Legal Director (TLD) has been commended in the FT Innovative European Lawyers awards, which were announced at the beginning of this month. TLD ranked... read more
28th of October 2016 by Warren Ryland
- Debt versus Equity - Financing for SMEs
The need for additional finance is often the price of success for small to medium-sized enterprises (SMEs) that are looking to grow. The question that faces the... read more
14th of October 2016 by Warren Ryland
- The deceptive complexity of the Modern Slavery Act
At the end of July, Prime Minister Theresa May launched a cabinet-level government taskforce to eradicate modern slavery in the UK. It was, she said, “one of... read more
31st of August 2016 by Warren Ryland
- How our clients will benefit from the Bar Council's escrow account
Outside the narrow realms of consumer technology, there’s often an inevitable trade-off between cost and quality. In other words, you can have something at... read more
7th of July 2016 by Warren Ryland
- As the net starts to close, the Bribery Act prosecutions begin
As we have written before, the Bribery Act 2010 is a law with undoubted teeth. Fines are potentially unlimited, and custodial sentences can be up to ten... read more
1st of May 2016 by Warren Ryland
- New rules on shareholder identification are now in force
New rules on shareholder identification are now in force - and yet many businesses aren’t aware of them. Does your business have corporate or nominee... read more
12th of April 2016 by Warren Ryland
- First SRA-regulated law firm signs up to Bar Council's escrow account
PRESS RELEASE: The Legal Director has become the first law firm regulated by the Solicitors Regulation Authority (SRA) to sign up to the Bar Council’s... read more
31st of March 2016 by Warren Ryland
- Trade marks: the 3 biggest mistakes to avoid
Wander around a supermarket, or browse the advertisements in newspapers and magazines, and you’ll see trade marks everywhere. And it’s likely, too, that... read more
29th of February 2016 by Warren Ryland
- Avoiding flexible working's hidden pitfalls
You don’t have to look too far to see that traditional modes of employment are increasingly giving way to more flexible working arrangements. Returnee... read more
9th of November 2015 by Warren Ryland
- Are you paying your workers the right amount of holiday pay?
A recent ruling by an Employment Appeal Tribunal is set to cause many businesses a headache. Quite an expensive headache, at that. Simply put, it means that... read more
15th of July 2015 by Warren Ryland
- The Bribery Act 2010: are you running a risk of breaking the law?
To see the difficulties that businesses can get into through bribery - or even allegations of bribery - look no further than the reputational damage suffered... read more
11th of June 2015 by Warren Ryland
- It's official: "Lawyers are not cost-effective"
Imagine, for a moment, that when faced with a serious illness, significant numbers of people took no action. And of those who did take action, around... read more
20th of January 2015 by Warren Ryland
- Could a Shareholder Agreement save your business?
Here at The Legal Director, we’ve recently come across a business where the two co-founders have fallen out -- one is now leaving, in order to set up on his... read more
1st of December 2014 by Warren Ryland
- The high-fee culture that's hobbling British business
Another week, and yet another critical item in the press on the cost of obtaining corporate legal advice. And to be sure, it’s certainly a fairly open goal at... read more
11th of November 2014 by Warren Ryland
- Is crowdfunding the answer to your business's financing challenge?
As the credit crunch and ensuing recession of 2008 began to bite, lending to businesses dried up. To their shock, even long-established, profitable businesses... read more
2nd of September 2014 by Warren Ryland
- Complying with the Data Protection Act: 3 business bear-traps awaiting the unwary
Visit the website of the Information Commissioner’s Office, and there’s an interesting section entitled ‘Enforcement’. In it, the... read more
1st of September 2014 by Warren Ryland
- What might a Legal Audit reveal about your business?
When we start working with a business we assess their existing legal arrangements to determine how these can be improved and aligned with commercial objectives. We... read more
9th of July 2014 by Warren Ryland