5 GDPR dangers for small businesses

On Wednesday 12th September I attended a ‘Future of Marketing and Advertising post GDPR’ workshop at the Angel, London, run by the Data Protection Forum.

Hellen Beveridge from Data Oversight presented the workshop and I shared a room with data protection staff from well-known car manufacturers, high end jewellers, law firms and compliance companies.

Here’s my top 5 revelations from the workshop:

1. Prepare for Brexit

Currently the UK is able to share data with other countries who are members of the European Union and 12 other countries, who have been granted an Adequacy Decision. These countries include Andora, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA.

Once Brexit happens on 29th March 2019, the UK will no longer have this agreement in place and will become, under the GDPR, what’s known as a ‘Third Country’. This means we will have no legalities in place to share data outside of the UK!

What needs to happen is that as part of the Data Protection Brexit agreements, the UK is also granted an Adequacy Decision. But as the Brexit negotiations are taking rather a long time, there is no guarantee that this will be in place before March.

This leaves UK business owners with minimal options. Larger companies can draft BCRs – Binding Corporate Rules – created by lawyers and approved by the Information Commissioners Office (ICO), which take a minimum of 18 months to approve. Or they may create Standard Contractual Clauses (SCC) for one-off large data transactions. However, small businesses simply do not have any obvious options and for those of us sharing data outside of the UK – which could simply be having a client who lives in Italy whom you do an email marketing campaign for, for example – will have to decide what to do for themselves. We are being expected to learn the Data Protection Laws for each company we need to data share with and comply! That is just not a workable option for small business owners!

2. Get a Customer Relationship Management system (CRMs)

Part of GDPR states that we must have a retention period for the data we hold. What became clear on this workshop was that the ICO are expecting that businesses have very clear policies and procedures in place to know and manage this. They expect a ‘single customer view’. This is difficult to show on excel spreadsheets alone, so moving to a basic CRM could be an option. Within a CRM you can create fields where you should show under each person (Data Subject):

  • The source of the data e.g. how you connected with that person
  • The date of connection e.g. when you met or first corresponded
  • Any correspondence, purchases and data transactions with that person and the dates they occurred.

With this info you should be able to generate a report, or work out, when the deletion date of your data should occur, e.g. 6 years from the last time they corresponded/interacted/bought from you.

This means that the retention period of that data would run from the last time this person responded to your business, rather than when you first met them. But this may be difficult to work out from what your CRM currently records. Software such as DPOrganiser is available on the market, but at a cost.

3. Using Legitimate Interest

Also known as the ‘Get out of Jail Free’ option for businesses to continue marketing! Be aware that it is not! You are still required to craft reasons why you are using legitimate interest as the basis for your data processing and why you are not able to use Consent instead. ‘Because it’s too hard’ is not an answer accepted by the ICO! Write up these reasons and save them in case of future auditing.

However, if you wish to send a business-to-business enewsletter to people who have asked you for a quote, shown an interest in your products previously, were or are a customer within the last 6 years – then you are able to do so under legitimate interest. Be careful to only mail business email addresses and not yahoo/gmail etc and know that you can’t use legitimate interest as a reason for processing Sensitive Data.

If you can realistically use legitimate interest as your legal basis for processing data, you DO NOT NEED TO GET CONSENT as well! Excellent!

Obviously, ensure that everyone can opt out of said enewsletter when they need to and make it obvious and easy for them to do so.

4. Data Processors, beware!

On processing data for a client, such as sending an e-newsletter for them or ‘augmenting’ data, marketers could be classed as a Data Controller rather than a Data Processor – and fined accordingly should any incident occur.

A recent case by the ICO saw a well-known marketing agency fined as a Data Controller for doing just this, when in fact they were acting under instruction from their client.

Marketer or not, if you’re processing data for other people, ensure that you have appropriate documentation in place with all your clients which clearly states your data sharing processes, all systems used (put these in your Privacy Notice too) and your data management expectations of each other.

5. List buying – it’s on your head

If you buy lists from elsewhere, be very sure how the company obtained consent from the Data Subjects (people) on that list in the first place. It will be your company that could get fined if do not have the appropriate consents in place! Before purchasing the data, ask the following questions:

  • When was the data collected? (You need to work out the retention period)
  • How was it collected? (To know the data source)
  • What did the Data Subjects consent to? (If people agreed to be contacted about boilers and you are trying to sell them jewellery, the Consent is probably too tenuous to use it)
  • How does your third party data seller comply with Article 13/14? This area of the GDPR highlights the right of individuals to be informed about the use of their data and who it will be shared with. At the point of the data collection, how would the third party broker know the data would be sold to your company, in order from them to tell the individual their info would be shared with them? In this instance, the third party broker should be notifying the individual of the data share within 28 days. Can they prove this has occurred?

To summarise, GDPR is not going away. The UK Data Protection Bill is based on it and it will form the new UK Data Protection Act. Further laws are on their way and the ICO are listing all non-complying companies on their website in ‘name-and-shame’ fashion.

Do not be one of them! Contact me if you need further guidance and I can help you through a GDPR audit.

Thanks for reading!

Amanda

%d bloggers like this:

Insurance Quote

Choose type of Insurance:

Level of protection:

Contact details: