It doesn’t seem possible that it was 4 years ago that GDPR a European Regulation, was the buzz word of the world. Businesses across the UK were panicking about the impending new law implication and we as a business were absolutely stacked with clients needing advice, wanting policies and guidance on what it even meant and for many were still putting it off until at least May when it came into effect on May 25th in 2018. The reasons for the reform of the law, made sense, there is no doubt it was completely necessary to update the law since the last act was 20 years old.
In those 4 years we’ve had Brexit and even a pandemic …
So, what’s changed?…
The Brexit transition period ended on 31st December 2020, and it raised the question whether the GDPR still applied in England and Wales?
The answer is yes it does, as like many of the laws that came out of the EU our government decided that they were a good law and subsequently incorporate them into UK law. This law was no different.
It is now known as the UK GDPR.
The UK GDPR sits alongside the Data Protection Act 2018 (DPA) which adapted EU GDPR rules to the domestic legal system giving definitions, rules for public bodies, and setting enforcement procedures and powers. It also sits alongside the Privacy and Electronic Communications Regulations (PECR) forming the personal data protection legislation in the UK.
As a rule of thumb, if you were compliant with EU GDPR, then you’d be compliant with UK GDPR and DPA, but are you?
Personal Data, as a definition, became wider – so any information that can directly or indirectly identify a person is now considered as personal data. So that’s names, photographs, telephone numbers and emails. This includes business emails such as mine firstname.lastname@example.org but not our generic info@ address which is often wrongly mistaken.
Ask yourself these simple questions whilst considering the personal data you currently process (i.e. store):
- How did you collect this data?
- What is your lawful basis for processing this data?
- Where is the data stored?
- How old is this data?
- Is it sent to or used by any 3rd parties?
The answers to these questions will help you identify weak spots in your current policy and would highlight any potential issues. If you’re not sure how you collected the data you got a lawful basis for doing so, then that’s clearly a problem and it needs to be addressed. By getting an overview of the current data you hold and how you use it, you’ll be able to see what is needed to ensure compliance with the Data Protection laws.
Bear in mind, it is only lawful to process data in certain circumstances and you need to be clear on what your basis is for each set of data you’re holding. If you have a contract with someone, for example, it is lawful to use the data to fulfil your obligations under that contract, but it would not be lawful to use this data for any other purpose (unless legitimate interest applies of course!)
Is the data up to date?
It is a good idea to delete unnecessary data.
It is still likely you have a lot of data that is no longer needed and has no benefit to your business whatsoever. By cleansing your database, not only will you be more focused with who your real prospects and clients are, you are also reducing the risk of any breaches. Not only that, how do you know this data is even still correct if it is years old, which is one of the principles of the GDPR.
Marketing was probably the biggest worry surrounding GDPR and still is. Businesses were spamming our inboxes asking for permission to continue marketing to us after May 25th 2018 and it was very clear that they didn’t actually understand what their obligations were. The GDPR never replaced PECR – it just widened the definition of consent.
Consent is not the only way to market, but you do need to be clear on what lawful basis you are relying on. Consent must be freely given (so no pre-ticked boxes or schemes to build a marketing list); this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt in. By saying ‘Enter my competition with your email address but by doing this you agree to all future marketing’ is not a positive opt-in.
I would also be very clear in any emails you send why you are sending this email. ‘You are receiving this email because… ’. Not only is it being clear and transparent (another principle) it is excluding the possibility of the recipients complaining about your method of contact. The email may be perfectly legit but by saying why it is, avoids any misunderstanding and appearing like you have ignored GDPR all together.
Do I need to revise my GDPR documentation?
Yes, you need to update policies, notices and agreements stating the new legislation.
Do not forget to update your website privacy notice to mention the UK GDPR as the regulation that applies to data processing and depending on where your customers are based you may need to mention EU GDPR too.
Call us if you want to discuss this in more detail: 01604 217365