Hopefully by now, you’ve heard of the new General Data Protection Regulations (GDPR) coming into play on 25 May 2018. It’s a challenge for small business owners as it changes how you collect and use personal data in your business.
I’ve put together this quick guide to the new rules, with help from Annie Carr, from Gillespie Macandrew LLP. I’ve also described what I’m planning to do to prepare for the rule change, to help you think about what you might need to do yourself.
What is the GDPR
The GDPR is an European Union (EU) regulation which affects how businesses and other organisations hold and process personal data about EU citizens. The UK are likely to impose the same rules for UK citizens after Brexit as well. It affects businesses outside the EU as well, because they may, now or in future, hold data about EU citizens.
There are a few key terms you need to know.
The Data Controller is the person or business who owns the data, and decides how it is used.
The Data Processor is the person or business who uses the data to carry out the instructions of the Data Controller.
Data Subjects are the people which the data relates to.
What kind of data does this affect
Most of the small businesses I work with hold data about individuals in various places. Because the description covers any kind of data linked back to an individual, it’s not just email addresses and phone numbers. You also need to think about things like social media data, IP addresses, and so on.
As a data controller, you may hold data in:
- Your email list through MailChimp, TinyLetter or another service.
- Google Analytics
- Your email inbox, client database, mobile phone, etc.
- Ticketing tools like Eventbrite
- In project documentation, invoices, reports and other client paperwork.
Social media sites where you have an audience are also relevant. You have access to personal data through these platforms, and you make decisions about how to use it, so in this regard you are also a data controller, even though you don’t have complete ownership of the data.
Defining your reasons for using personal data
The rules outline six different ‘lawful bases’ for using personal data. Basically, your reasons must be in line with at least one of these options for it to be legal for you to carry on.
The lawful bases are:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Although it’s at the top of the list, consent is probably the last one you should consider using, because GDPR has high demands for this.
Most small businesses would do well to look at ‘performance of a contract’ and ‘legitimate interests’.
Obviously, you need to know some information about your clients to do work with them. When you gather contact information, client questionnaires, and payment details, these can be justified under the second lawful base, regarding – ‘performance of a contract’.
In terms of marketing, you’ll be glad to hear, as Annie told me, that “The GDPR explains that conventional direct marketing is a legitimate interest and therefore processing of that type should be justifiable under the ‘legitimate interests’ condition. However, this legitimate interest can be overridden by the rights and freedoms of the data subject. Data subjects must also be provided with specific information regarding the processing of their data, and the rules contained in the Privacy and Electronic Communications Regulations (PECR) continue to apply.”
This means you can use personal data to market to people, without having to ask them for explicit consent. Huzzah! What you absolutely must do is to let people know you have their data, and how you plan to use it.
Getting consent to use someone’s data
Coming back to consent, you can use this as a fall-back option, if your plans don’t fit under another lawful base. Annie explains:
“If a data controller can’t justify data use under another lawful base, then they have to ask for consent from the data subject to each processing activity. The GDPR sets out how you must do this so that the consent is valid.
“When the data subject agrees to the processing of their data, the statement must be unambiguous and indicated by a clear and affirmative action. This means you can’t rely on ‘opt-outs’ or pre-ticked boxes.”
You should not use consent as a ‘back up’ as well as using another reason. If you need to process the data, with or without permission, “it would be misleading to seek the consent of the data subject. Again, what is important is that the data subject has been provided with the information referred to above.”
“The ICO’s view is that where a data controller believes they already have consent to a GDPR standard, there is no need to go back and refresh that consent. However, most consent already obtained probably won’t be GDPR compliant. The ICO hasn’t yet explained on how a consent-gathering exercise could be carried out but we expect that they will soon.”
Make sure you read up on the current guidance on consent on the ICO website.
The wrong way to get consent
I first heard Annie present about GDPR, at a business event in November 2017. She mentioned a large company had been in trouble from the ICO. They had sent a mass-email to their database to gain consent for the way they wanted to use personal data.
“The company in question was Flybe and they contacted a database of individuals who had not consented to be contacted by email for marketing purposes. Flybe sent an email under the heading ‘Are your details correct?’ asking individuals to update their marketing preferences and advising that they would be entered into a prize draw for doing so. The ICO took the view that asking for consent to be contacted by email for marketing when the email communication serves no other purpose is, in itself, marketing. Flybe was fined £70,000 for breaching the Privacy and Electronic Communications Regulations (PECR).”
Letting people know how you use their data
Everyone who processes personal data is responsible for ensuring all their data subjects know how and why their data is being used.
“The data subject must be provided with information regarding, amongst other things, which lawful base is being relied on by the data controller.” You also need to let them know about their rights.
The GDPR provides for 8 rights for an individual data subject:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Check the ICO website for a full explanation of these rights.
“The key thing to point out here is that you have to give all your data subjects the information set out in Article 13 and 14 of the GDPR. The GDPR doesn’t say this has to be in a privacy notice but that is likely to be the easiest way to comply. In any event, the information provided must be clear, transparent and written in unambiguous language (i.e. not buried at the end of a set of terms and conditions which the data subject will never read).”
What I am doing to prepare for GDPR
Having read up on the guidance and information about GDPR from the ICO, I’ve decided on a strategy for my own business, to make sure I’m ready for May 2018.”
My first task will be to outline my own Data Policy, and to write it down. This will outline the data that I have, and ask for, where it’s stored, and how I will use it. I’ll also plan how to respond to data subjects if they ask for a copy, or to remove it. Finally I’ll cover how long to keep data for, and how to remove it when I’m finished with it.
Secondly, I’m going to consider if I want to justify my data use with the opt-in clause, outlined above. If I do, I’ll need to make sure I’m gathering consent correctly, and recording what I’ve done.
Thirdly, I’ll be updating my Privacy Notice, on the basis of my data policy, and sharing it with my data subjects, so they know how and why I’m using their information, and what their rights are.
Finally, if there’s anything I’m not sure about, I’ll ask a lawyer, for specific advice about my situation.
This article is intended as a general guide to GDPR for small business marketing. The information is not exhaustive, and is not legal advice, including the comments kindly provided by Annie Carr.