This time last year we were being inundated with messages and reminders of the new GDPR that came into play on 25th May 2018 and how you can ensure your business is compliant. What may not have been clear is that keeping compliant to the regulations is an ongoing exercise and not just a one off.
GDPR affects all businesses who hold ‘personal data’ (see our GDPR glossary) of any sort, be that customer information, supplier information or even employee information. Since the implementation of the GDPR last year, the advice around it may have gone a little quieter – so here’s a reminder of some of the key takeaways:
Conditions under which you can contact potential customers (must meet one or more):
The way you can market to potential clients has changed under the GDPR. Previously companies would purchase data lists of 1,000s of contacts and send them marketing communications promoting their product and services. Now under GDPR these contacts need to be ‘opted-in’ or subscribed to your mailing list for you to contact them.
You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.(Further details on ‘legitimate interest on ICO website). For example if they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, it could be said that they have legitimate interest and so can be communicated to.
Data storage and the ‘right to be forgotten’
Getting the consent of contacts to market to them is in itself a challenge – but compliance doesn’t stop after the consent is given. The GDPR means that you have to have records of when they gave consent and how they gave it and be able to remove all traces of their personal data if requested.
Accountability and governance
Ensuring you are complying and can demonstrate compliance. Under this principle is the responsibility of keeping personal data secure and protecting against potential cyber attacks and data breaches.