GDPR. Four months in – don’t panic!
by Paul Longland, 01 October 2018
You’d have had to be under a rock to avoid the panic surrounding May’s GDPR deadline. The GDPR is so confusing – for everyone. Now that the deadline has passed, should we still be worried?
There is a lot of confusion surrounding GDPR. From your own words, what exactly is ‘GDPR’?
To the normal person, it’s a piece of legislation from Europe that is going to govern how companies and organisations use, store and process your personal information. This is to get services from them, products, legal advice – even when sending your kids to Scouts, for example – it’s how the organisation handles your personal data.
Does it apply to everybody?
Yes. It’s universal. There are very few exemptions – just one main exemption – and that is for ‘domestic purposes’.
What does that mean?
For example, if I give you my phone number, and said: “would you like to go out for dinner” – that kind of ‘transaction’ doesn’t apply. One person is giving someone else their information (their phone number) willingly; and does not expect the other to try and sell them a product. But it does apply to business and organisations that use your information for other purposes.
There’s a very grey area that people speak about; if you go to an organised networking event, and someone willingly give you their business card – what can you do with it and what can you not do with it?
If they have given you their card – even if they haven’t given you their card – you can do anything with that card which is NOT illegal or unlawful. There is a lot of misconception about this subject. You can store their information - you can even call them. You can argue under the PECR (Privacy and Electronic Communications Regulations) that part of the discussion both parties had was part of you negotiating a sale; and that email was you following up on that sale – which is a legitimate use of that information.
People have got very scared about the subject of GDPR. Many are afraid to give their information to anyone – or vice versa. What would you say to those people?
They have got very scared – and they needn’t be. There is very little that they can’t do now that they did before. The subject of GDPR is about justification, paperwork and evidence. And to have systems in place to protect your business from any differences.
Can you summarise GDPR?
GDPR deals with personal data, how it’s used and the processes for using it. There is a different set of regulations, the PECR – mentioned earlier – that deals with sending emails. You are not allowed to ‘cold call’ emails, unless it is to someone who has agreed to it, was a customer, or has made an enquiry in the past. Whoever send the email must stop sending them immediately if the recipient asks them to stop.
Are you legally allowed to send them emails until that point?
Yes. To be able to send those emails, you have to be able to provide the right to ‘opt out’ of receiving them (also know as the 'right to be forgotten'). That rule is within the regulations. These regulations (The PECR) will be reviewed again in 2019 – but that is the position at the moment; you have to provide an ‘opt out’ or the ability to unsubscribe. If the sender does not comply, the recipient is able to make a complaint to the Information Commissioner.
If someone doesn’t give an ‘opt out’ option, and they do complain, what happens then?
At the moment – you go to the end of a very long list. If they are at the top of the list, the ICO will investigate that complaint. They will then issue a judgment. You can imagine how much they have been flooded with complaints since the GDPR deadline. They may issue a fine or an enforcement action – which of course will occur in the small claims court.
When Brexit finally happens, will GDPR still apply?
Yes. The Data Protection Act 2018/19 is a piece of UK law that is going to bring GDPR into our UK law when we leave Europe.
What does the ‘normal person’ (not a business owner, not a high-net worth individual) need to know about GDPR?
The most important thing is what your rights are in relation to your personal data. As a ‘data subject’ you are given a set of rights (under the regulation) with respect to your personal data. You have the right to be informed what a business is doing with your personal data, which is usually undertaken through a privacy notice. You also have the right to access all your information that they have. It can then be deleted, in most circumstances (but not if they are legally obliged to have it).
Since the GDPR deadline in May, have you dealt with, or heard about, any businesses or individuals that GDPR has had a huge impact on?
Yes – Facebook, Google, Instagram, for example. Within 24 hours of the deadline they were inundated with complaints that they hadn’t adhered to the GDPR rules.
How were these large companies not ready?
Simply because of the scale of the job. Imagine all those people that wanted their information deleted, changed, etc. It was mainly Facebook that hit the headlines - as a college was using Facebook as their main source of storing data – and then selling that data on, for marketing purposes. A fairly legitimate reason, yet it did not comply with the new regulations.
Tell me about your clients that are affected by GDPR.
We have clients that are involved with data processing and data farming, and their business has been affected. Most businesses, however, haven’t changed at all – and are actually still non-compliant with GDPR. The majority of people and businesses haven’t done anything – even those that need to.
Why do you think this is?
It’s probably a case of sticking their head in the sand - ignore it and it’ll go away. It’s difficult to understand, and it’s quite expensive to deal with. For a client to come to us and for us to completely change their systems and processes, the costs can add up – and no businesses are exempt, large or small.
Do they think they are not going to get caught?
Realistically – yes. Until someone complains, or they have a deadline problem (one that reaches the newspapers) they are not going to be investigated.
What do your GDPR cases generally involve?
A client may come to us and say that would like to be GDPR compliant, so there is a list of things that they need to do – internal policies, privacy policies, keep records of their data processing, records of any data breaches – but more importantly, they need to review the agreements that they have. If someone is processing data for someone else, they now have to have a written agreement, with various provisions. Those are the things that people are not really doing. These don’t really affect the public – yet they are there in the regulations.
Are only large businesses targeted?
No – everyone. It’s a burden for businesses, yet the new legislation applies to all. The first step for a small business is to look at the ICO website – they have produced guidelines for micro, small and medium sized businesses. It’s then easy to see which category your particular business falls under, and to then take appropriate steps to comply with GDPR.
What would you suggest to anyone who is worried about GDPR?
The first step is to understand how your business or organisation is processing personal data. The impact of GDPR will be greater for those who are gathering and processing a lot of data. Marketing firms, call centres, etc. But the good news is that the ICO stated the first year or two isn’t about ‘cracking down on people’ but to educate about GDPR and provide assistance. They don’t expect everyone to be perfectly compliant straight away although that is the legal requirement.
What do you enjoy most about working with GDPR?
It’s interesting to see how it applies to many different businesses. It’s new law, which is constantly evolving – it’s quite enjoyable to teach and educate others about the subject.
If you would like to discuss GDPR regulations and compliance please contact Paul Longland on 01202 204 504.