GDPR – The end of the world as we know it?
That’s the question posed to Mike Holland, Account Director of OlsenMetrix Marketing in the latest edition of Connected – The Chamber of Commerce Magazine.
He states:
GDPR comes into force on the 25th May 2018 and will be enforced in the UK by the Information Commissioner’s Office.
GDPR is aimed at an organisation’s use of personal data. Anything which identifies an individual, or can be associated with an individual is deemed personal data.
For example, a business E-Mail address linked to an individual is personal data. He goes on:
Importantly, GDPR does not just cover E-Mails and Marketing. It covers all personal data that businesses and organisations handle. That includes items such as personnel records, CV’s and job applications, customer records, E-Mails and more. And it covers data not just on computers and IT systems but information held on paper, in filing cabinets, in card index systems or anywhere else, including your mobile phone.
It is however easy to overstate the impact of GDPR. This is not the end of the world as we know it. The new legislation is mostly going to restate what is already either law or best practice.
A number of myths have grown up around GDPR. One of the most common is that GDPR requires you to have permission to contact people before you do so: This is simply not true.
What is true is that if you have a list of people, for whatever purpose, whether it is held on computer or in a little black book – you will be covered by GDPR. You need to have assessments in place to justify your possession of that list and your use of it. You must also have systems and procedures in place to keep it secure.
However, you don’t necessarily need to have permission (legally known as informed consent) to contact the people on that list. For most organisations there are 3 legals bases on which data can be collected, stored and used in addition to informed consent: These are:
- To perform a contractual obligation.
- To fulfil legal obligations – for example the recording of accidents or demonstrating compliance with regulations.
- To pursue legitimate interests.
With the latter, you need to conduct a legitimate interest assessment, showing why and how you plan to use the data. The assessment needs to balance the rights of the individual to privacy versus your need to breach that privacy by contacting them or holding data on them. The law says you have a legitimate interest in doing that if it is necessary for achieving your commercial or business interests.
GDPR gives people a wide range of rights to control your storage and use of their data. They are entitled to see all the data you hold on them, they are entitled in some circumstances to be forgotten, and they are entitled to object to automatic processing of their data (so the computer says no) will no longer be a permissible answer to an enquiry.
So Mike concludes:
GDPR will certainly provide some challenges. However, with good planning these are not insurmountable. It would though, be prudent to get some good advice on an individual basis to ensure that your systems and processes comply with the new law.
Extracts taken from Connected – The official monthly magazine for Chamber members Issue 65/April 2018.
If you require more help and advice about GDPR take a look at Support Cambridgeshire’s basic fact-sheet on the subject which can be found here:
Further advice and guidance can be found at the ICO website by clicking here: