The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. GDPR compliance captures all manner of personal data processed by businesses and it applies to all businesses of all sizes, with few exceptions.
It applies not only to employees but also to customers and any contacts whose personal details are stored for business purposes. Non-compliance could include fines of up to 4% of worldwide turnover or €20 million/£17 million, with new criminal offences for responsible directors in specified situations.
There are numerous ways in which a business interacts with its customers. If you already have a database of existing customers or intend to create one this year, you must consider the implications of GDPR. Failure to do so can now result in fines which could cripple your business.
Below will give you much more detail on the considerations for your business when you collect and use data from people who buy your products and/or services online.
It is important to make sure people who sign up for marketing information, or enter a prize draw at any festivals, fairs and shows you attend this year, have given their consent for you to use the personal information they give for these purposes.
GDPR requires your business to communicate transparently regarding the personal data it is collecting, processing and storing.
For online businesses, this is best done through a standalone privacy policy clearly displayed and accessible through your homepage. Whilst all online businesses should have such a policy in place, it is highly likely that it will require updating to become GDPR compliant, hence reducing the risk of the Information Commissioners Office (ICO) imposing sanctions for breach.
A typical privacy policy would, and should, include details of:
Businesses should also review and update the data protection clauses in their existing terms and conditions to bring them in line with GDPR principles. For any business currently operating without formal terms and conditions, now is the time to put in place a compliant set, not only ensuring GDPR is addressed but also protecting the wider operation of the business.
In the modern world, online marketing is a core strategy of many businesses. For those carrying out unsolicited electronic marketing campaigns, the recipient must have given express permission (consent) at the time their data was originally collected. Without this, a business is not permitted to market to them.
Consent means an unambiguous, freely given, specific and informed indication by an individual signifying agreement to the processing of personal data.
This form of consent cannot be implied. It requires a positive action (opt-in) in response to a clear, concise and prominent request detailing the data controller’s name, the specific purpose for processing and the types of processing activity.
Put simply, as a minimum in obtaining express consent to market you should outline:
Active opt-in consent can be obtained in a number of ways, including ticking an opt-in box on paper or electronically, signing a consent statement on a paper form, or selecting from equally prominent yes/no options.
All businesses should maintain records evidencing a person’s consent, detailing who consented, when they consented, how they consented, what they were told and if consent has been withdrawn.
It is important that consent can be easily and freely withdrawn by the individual wherever they choose to do so, i.e. by including an unsubscribe option on an email or including consent preference tools allowing individuals to manage and withdraw consent.
Consent records should be reviewed regularly and refreshed if anything does change, such as a change in circumstances regarding the purpose for which data is collected or where operating processes evolve.
GDPR does not outline how often consent should be refreshed, as it will often be dependent on the context in which consent is sought. However, the ICO’s “if in doubt” guidance outlines that consent should be refreshed at least once every two years. This is a sensible timescale for which to operate where there are no strong reasons to ‘refresh’ consent.
An effective way to manage this requirement it to build consent reviews into internal business processes, having clear lines of responsibility for this task. This is what ICO will expect to see and businesses will need to demonstrate.
There is an exception to the above requirement called the ‘soft opt-in’. The conditions which must be met for the soft opt-in to apply are as follows:
For businesses wishing to use previously collected contact details for the purposes of marketing campaigns after 25 May 2018, the above requirements need to be satisfied. Many current practices for collection and use of personal data will not be GDPR compliant
Unfortunately, it is not a quick fix to simply make contact with existing mailing lists to seek consent. The ICO has specifically advised that emails sent to individuals in such circumstances are themselves marketing emails and there are examples of organisations having been fined for doing this recently.
GDPR is complex and detailed. Larger organisations have recruited dedicated compliance officers to meet the scale of the task, whilst smaller organisations need to manage the exercise and satisfy these more onerous requirements from existing resources.
You cannot hide from the changes, they are not an option. There is one clear certainty, 25 May will be upon us in a matter of weeks. Businesses need to act now to ensure they are GDPR ready.
You can check online for further advice or contact a member of our Corporate Commercial team to review your existing policies and business terms and conditions.