Our minds, out of necessity, were on Brexit and are now on Covid-19 this year and will continue to be so for the foreseeable future, but cast your minds back to Spring 2018 when it was the GDPR that grabbed all of the headlines. We might remember all of those re-permissioning emails; keen to get our ‘consent‘ to continue marketing to us, and who can forget the tales of organisations who slashed their marketing lists when they probably didn’t need to.
It was difficult for organisations to understand exactly what it was they needed to do, when there were so many competing voices in the marketplace, or vendors offering ‘easy’ solutions, which turned out to be anything but.
Here are FIVE things you can do now if you haven’t started your compliance journey, or if you have made a start, use these as reminders about some of the important areas in Data Protection.
1. Have you registered with the ICO?
This is such an easy thing to do and can be completed in a matter of minutes. It is a legal requirement that you register (unless you are exempt). Take the ICO’s self-assessment test to see if you need to register, follow the links and pay your yearly fee. Once you are on the system, you’ll get yearly reminders from the ICO. Once you get your Registration Number, it’s a good idea to put it on your Privacy Notice. The ICO has taken action against firms who haven’t paid their fee and you could get a fine of up to £4,350.
2. Have you got a DataMap?
Have you started to map out what personal data you process? This includes customers, staff, suppliers, patients (if you are in health care). This can be done easily on an excel document where you list, among other things; what it is you collect, why, how you came about it, what the legal basis is, who you share it with, how long you keep it for etc. This will give you a good overview and allow you to plot user journeys and pick up on any gaps that there might be. For example: have you ever thought about how long you are keeping personal data for? There are many software solutions for Data Mapping, but making a start is more important than waiting for the perfect solution.
3. Is your Privacy Notice up to date?
The GDPR obliges us to be ‘transparent’ with Data Subjects about what we are doing with their data. Once you’ve done your Data Map, you’ll be able to fill in your Privacy Notice. Your groups of Data Subjects (Staff, customers, patients) should all have access to your Privacy Notice so that they can see why and how you are processing their personal data. This is your chance to build trust, afterall if you’ve got nothing to hide, then be honest and authentic in your Privacy Notice. There are many ways of doing a Privacy Notice -you might even want to make a video, but what goes into the Privacy Notice is laid out very carefully in Article 13 (and 14) of the GDPR.
4. Have you reviewed your marketing activities?
When you’re thinking about your customers and potential customers it’s a good opportunity to review how you are marketing to them. One of the issues we saw last year was that some organisations had been told that they needed ‘consent‘ to send email marketing. This is only partly true. You DO need consent for potential customers, but you are permitted to market to your existing customers under another legal basis (legitimate interest*). Technically this is without their consent, but there are a number of caveats. Since 2003, the Privacy and Electronic Communications Regulation (PECR) has allowed organisations to market to customers so as long as you’ve given them the option to Opt-Out at the time of data capture and that there is an Opt-Out on every future communication. So instead of asking your customers to Opt-In, you are offering them the option to Opt-Out, as they are already ‘in’ – because they are your customer.
5. Are your IT systems secure?
It takes a team to get to grips with an organisation’s Data Protection obligations. An important member of this team is the IT specialist who can help with the security of your digital data. Issues like using strong passwords, encrypting and storing personal data are all important aspects of a Data Protection audit. Your IT team or outsourced Consultant will be invaluable in your preparations and it is wise to seek their advice as well as legal and compliance advice from organisations such as ours.
I’ve only managed to capture a brief overview of a few things to consider. Hopefully, you’ll find it helpful as you either start your journey or it will serve as a reminder. Look out for the next Data Protection Blog where I’ll be explaining more about what you need to do and busting some myths along the way.
Please get in contact with us at firstname.lastname@example.org or call us on 0800 6894168 if we can help you with any of this!
*If you are using legitimate interest as a legal basis, you’ll need to have on file a ‘legitimate interest assessment’ – this is your evidence that you have thought through the implications of what you are doing and have done a ‘balancing’ test to show that you have taken into account the rights and freedoms of your Data Subjects (in this case, your customers)
Author: Amanda Williams
Let us know if we can help you!