Hopefully, by now you will be aware that the General Data Protection Regulation (or GDPR) comes into force on 25 May 2018. If you haven’t yet embarked on a plan of action it is not too late – but doing nothing is simply not an option!
Personal data is extremely valuable and has been described as ‘the new oil’. This has been highlighted recently with the Facebook and Cambridge Analytica situation which has had a high profile in the media.
As a way of helping to disseminate information and share best practice the HTA hosted two workshop sessions at Horticulture House on 28 March. Providing an overview of what is required along with wider advice on cyber security, speakers Cathrine Ripley from Field Seymour Parkes (a law firm based in Reading) and Edwin Meijer from Garden Connect were on hand to provide advice and answer questions. A summary of their recommendations is below.
- Doing nothing is not an option
- Carry out a data audit
- Review the results and plan what changes you need to make
- Implement the changes
- Review your data protection practices at regular intervals.
Overall a common sense approach was advocated, recognising that the level of response will be different for different types of businesses. Whilst many businesses will have made progress with GDPR compliance by 25 May it is going be an ongoing process and what is important is that you have taken stock of your situation and have an action plan for taking it forward. Your whole company attitude to data is what’s important as over time consumers will vote with their feet and only be willing to deal with businesses that deal with their data carefully.
A few key tips that might help…
- Think of this as health and safety for personal data
- It is important to keep records of what you are doing to comply so you can demonstrate your approach if asked
- Be clear as to why you are using data
- Consolidate where you can and keep your data in a single place – a CRM or other central system, rather than numerous spreadsheets, will help to reduce duplication
- Only request data that you actually need from people
- Only keep data as long as you really need it.
Further information and guidance is available at www.hta.org.uk/GDPR including links to the ICO website. A video of the morning workshop session will also be available to view on the HTA website.
Questions from the floor
The sessions were extremely interactive and each concluded with a panel session where speakers were joined by James Bleazard from HTA Insurance Services. A selection of questions raised throughout the course of the day can be found below.
The answers and recommendations below were given by Catherine, Edwin and James during the seminars.
Do I need to ask for consent for all my business communications?
You need to have a reason for collecting and using data. Data about customer-related activities, such as sales and deliveries, which is recorded on a CRM or other central system is held to help you perform your business contracts and you don’t need consent to use it. For many businesses marketing will be the only area where consent is required.
Is it enough to email my database to ask whether they want to receive communications from us in the future?
In most cases new names should only be added to your database if you have GDPR-compliant opt-in consent to do so. This is the safest way of knowing that you have a lawful basis for proceeding personal data for marketing purposes. You should provide some privacy information when seeking consent and you should explain how consent, once given, may be withdrawn. It’s also a good idea to give individuals options as to what marking information they would like to receive. But don’t bombard them with too many options – up to 6 across core business areas is probably enough. You should keep records of everyone who gives consent and when.
Whether you seek fresh consent to send marketing information to existing customers and contacts or rely on “legitimate interest” to send marketing material will depend on your particular circumstances and it’s probably best to seek advice if you are unsure. However you shouldn’t go too far wrong if you take a common sense approach.
Do I need to get any my customers to re-subscribe if they are already members of our loyalty scheme?
Again this will depend on your particular circumstances but it’s probably reasonable to assume that people who have already signed up to your loyalty scheme will want to continue receiving marketing information from you even if you don’t have their original sign-up information. That said it is good practice to regularly review your lists and identify any dormant contacts (e.g. people who haven’t opened emails for a period of time) and remove accordingly.
How about people who sign up instore or at events?
Where people are required to fill in a form to sign up and give consent you should save this to demonstrate that they have given permission.
How long should I keep people on my mailing list?
This will vary from one business to another but it is good practice to maintain an active list and remove that dormant contacts at regular intervals. This is not only good from a GDPR perspective but also good makes business sense.
How can I ensure that my staff are adhere to GDPR?
All business owners and managers have a responsibility to ensure their staff comply. So once your audit and action plan have been undertaken it is important to provide your staff with clear instructions and training as to how you expect them to handle and take care of personal data.
How long do I need to keep failed application forms and CVs?
In most cases there will be little reason to keep them for more than, say, 3 months after which they should be destroyed.
How long do I need to keep ex-employee records?
Employees can raise make a claim up to 6 years after leaving a role and so with that in mind may businesses will opt to keep records relating to ex-employees for 6 years from the end of the employment.
What happens when I deal with a third party supplier such as a payroll company or EPOS provider? As the owner of the data you are the data controller and the third party is the processor. Whilst the data is ultimately your responsibility, the processor also has a duty to handle the data in accordance with the law and keep it secure. To make sure that this is done the GDPR requires that contracts meeting certain requirements are but in place between controllers and processors. If you haven’t already been contacted by your third party supplier about putting such a contract in place, you should contact them and ask.
What happens if I don’t comply?
As you may have already seen in the press, the authorities will have the power to impose significant fines on businesses which don’t comply with the new rules (up to 4% of turnover or €20 million). Although the largest fines are likely to be reserved for the largest, global offenders the message to take away is that everyone is getting serious about privacy and you mustn’t get left behind. What’s more, if you were to have a data breach the negative publicity about the fact that you are a company that doesn’t look after its customers’ personal data is likely to be far more damaging than any fine.
Who is going to police GDPR?
The ICO ( the Information Commissioner’s Office) is the UK authority that will be policing GDPR. They will get involved if a data breach is notified to them (either by the company or by a data subject) or if some other complaint is made to them. Further information can be found on their website – www.ico.org.uk