Jump to Main Content Jump to Primary Navigation

Blog

Experts answer key GDPR questions

Tuesday, 3 April 2018 09:00 AM | SALES & MARKETING

Capv28yzpkgpvmsu4pae

The Supper Club and Learn Amp have co-authored a practical guide to help entrepreneurs prepare for new data protection rules. It’s called Beyond Compliance: Preparing for GDPR and a New Data Mindset, because it’s about more than preparing for a deadline. It’s about adapting to a new way of doing business.

The Supper Club and Learn Amp have co-authored a practical guide to help entrepreneurs prepare for new data protection rules. It’s called Beyond Compliance: Preparing for GDPR and a New Data Mindset, because it’s about more than preparing for a deadline. It’s about adapting to a new way of doing business.

As we get closer to 25th May 2018, when General Data Protection Regulation (GDPR) will be enforced, businesses are becoming increasingly aware of their compliance obligations. So are their customers and employees, with increasing media coverage about the threat of dramatically rising fines.

Despite this, various surveys have highlighted a lack of preparedness for new data rules. A Senzing study in January 2018 (based on 1,000 senior executives from companies in the UK, France, Germany, Spain and Italy) found that 60% are unprepared for GDPR. In February 2018, a poll of small firms by the Federation of Small Business (FSB) revealed that 18% of small business owners are unaware of GDPR and 34% have little understanding of its requirements.

A vast array of consultants and advisers have sought to address this lack of awareness and understanding with a wealth of educational content, while the Information Commissioner’s Office (ICO) and the Direct Marketing Association (DMA) have released guidelines to help businesses interpret the regulations.

With so much information on GDPR, our members asked us for a concise guide that would help them understand what they need to do and why but, crucially, offers more practical guidance on how. We worked with Learn Amp to curate relevant information on GDPR; interviewed members about how they have prepared for compliance; and invited specialists to offer advice on how to apply new rules.

The compliance process has raised a number of questions about how to apply it in different areas of business, so we posed them to a range of specialists to offer practical insight.

Here are five key questions compiled from members with comments from specialists featured in the guide:

  • DATA STORAGE: How long can data can be stored, what needs to be deleted, and why?
    • “Data can only be stored for as long have you have legal grounds for storing it,” says Peter Borner, Senior Consultant, The GDPR Guys. “Financial data often has to be stored for 7 to 10 years. Employee data needs to be stored for as long as you need it to defend yourself against industrial tribunals. Customer data is generally stored for the length of your normal sales cycle. It is a case by case decision.”
       
  • SUBJECT ACCESS REQUESTS: Can requests be made on someone’s behalf?
    • “Businesses have been worried about a PPI style claims industry growing out of (SARs), with companies doing it on behalf of individuals,” says Suzanna Chaplin, Co-founder of ESBConnect. “Fortunately, the ICO has specified proof of ID from whoever makes a request which also addresses the risk of giving personal data to the wrong people.”
       
  • CONSENT: Is consent the only way to gain permission for email marketing?
    • “Consent is not the only means of gaining permission for email marketing,” says Steve Henderson, Compliance Officer at Communicator. “PECR also allows email marketing, in certain circumstances, to existing customers and those in negotiations for a sale or service. Those circumstances are: where the email address was provided during the sale or negotiation process; where an option to opt-out was provided; where the marketing is limited to goods and services relating to the purchases or customer relationship; and where the customer is given an option to opt-out in each message. This situation is sometimes referred to as a ‘soft opt-in’”.
       
  • LEGITIMATE INTEREST: Do you need to regain consent for prospects before 25th May 2018?
    • “Legitimate interest may be a better option for communicating with current customers instead of consent,” says Peter Galdies, Founder of DQM GRC and DataIQ. “There looks to be a “one-time” opportunity to make this change prior to May 25th. You need to document this decision, the balancing argument for legitimate interest and recognise that this will only be valid for those customers who are currently active. Consent will not be required; instead you will have to offer an opt-out from the processing.”  
       
  • COMPLIANCE CONSULTANTS: What do you need a specialist for and what can be done inhouse?
    • “You might not need to outsource everything and only need advice and guidance,” says Joanne Smith, Founder of TCC Group. “The only way to decide this is to understand the full journey for getting GDPR compliant. A good consultancy will explain what this looks like and help you to find your internal gaps in knowledge, skills, and resource that they can fill. This will help to prevent you paying for services you don’t need.”

To download your free copy of our guide to GDPR, visit https://gdpr.thesupperclub.com/

Related insights

Mfimlagcmv7fnpjx2sln

Report

Beyond Compliance - Preparing for GDPR and a New Data Mindset

The General Data Protection Regulation (GDPR) will be enforced on 25th May 2018 and all UK businesses who process personal data will need to comply with them.