Power to the people
GDPR is designed to empower data subjects and give them the final say about who holds their data, for what reasons and for how long.
By demonstrating how effectively you follow these principles your customers and contacts will have peace of mind and greater confidence to do business with you.
Outdated records should be securely archived if you have a valid reason for keeping them or destroyed. If you want to keep in touch you will need to ask for their permission to continue holding and using their personal information.
On the positive side, you will then have fresh, relevant and compliant data. As a result, your contact lists will be of a much higher quality and your return on investment in marketing activities will improve.
Under GDPR, when you ask for consent to use personal and sensitive information, you must be very clear about the purpose of your request. Data subjects must be told specifically what they’re being asked to agree.
Your description of the information you will hold and what it will be used for must be simple and explicit. If different types of data handling are possible (including, for example, emails, texts, and letters), then you must make people aware of each case and, as far as is possible, separate consent should be given for each.
Permission can’t be ‘pre-ticked’ or included in terms and conditions. The data subject must clearly opt-in; pre-ticked boxes won’t be enough to confirm their consent. Nor can you assume that your customer has agreed to let you use their personal information by buying a product or signing up to a service.
You must tell people the name of the data-handling organisation, and the names of any third parties that might share the information.
You will need to keep records of what the data subject has agreed, how they gave consent and the information they were given before agreeing.
It must also be really easy and quick for people to withdraw their consent. This option should be included in all your communications with them. Ideally, people should be regularly reminded about what they have agreed to and asked to renew their permission.
The implications of a data breach under GDPR are severe. You will already be aware that the financial penalty could be 4% of global annual turnover or a fine of up to €20 million (whichever is greater). More importantly, the publicity surrounding a breach could badly damage your reputation and your customers’ confidence.
If something goes wrong, the first questions will be about how well staff members were trained about their responsibilities.
You will also need to show that you have taken the advice of your Data Protection Officer (DPO) and done everything you reasonably can to protect personal and sensitive information, including working with the Information Commissioners Office (ICO).
Disclaimer: Please note that the opinions expressed in this blog are that of Un.titled and do not constitute liability for accuracy and/or legal precedence. This information assumes that you have, or will be, taking the relevant advice in relation to the General Data Protection Regulation (GDPR) from the relevant parties.