Happy Birthday to the GDPR

Happy Birthday pineapple

Happy 2nd Birthday to the GDPR!  It’s 2 years ago since we started this GDPR journey…

In the beginning, it wasn’t really clear what we were supposed to do or more importantly why on earth we were doing it.  The amount of emails that I received, reeking of confusion and desperation was ridiculous.  These companies that had opted me in to receive newsletters that I never read, were still really keen to send me useless things, which never resulted in a further sale.  To me it just highlighted those companies I didn’t need in my life any longer.  Opt in fatigue was at an all-time high.

Yet if they had a real reason to contact me they could.  They didn’t need my consent for that!

A smaller and more engaged database is far better than a huge one that really doesn’t want to hear from you.  It’s a two-fold issue, you have to keep the data secure and accurate which costs you money, has additional risk and it won’t make you any money.

Yet the actual purpose of the new legislation was often overlooked or unclear.  Data, according to The Economist recently, is more valuable than gold.  The GDPR is designed to protect people’s rights, imagine it’s your children’s or vulnerable parent’s personal data and the importance becomes clearer.

What data is it trying to protect?

Its personal data, things that identify you as a natural living person.  So, if you aren’t a company and not dead, it will apply to you.  This could be contact details, photos or a passport number.  It could also be special category data such as health details, nationality or religious beliefs.  People often say its business to business, so it doesn’t apply.  This is so not the case.

Consider a normal company selling, let’s say, watches.  There will be clients, suppliers and possibly employees.  The client data will be needed for repeat orders, batteries and warranty issues.  You can’t keep your client data forever but you could keep it for the warranty period plus a couple of years possibly for any outstanding issues.  Again you can’t keep supplier and employee data forever either and you should have a data retention period in place that can deal with all of the personal data that you need to have in order to run your business.  The ICO isn’t saying that you can’t have the data, only have exactly what you need and only keep it for as long as you really need it for.  This could be in line with HMRC or industry guidelines.

What the ICO are looking for is for individual’s data to be treated well.

To have a specific reason for having it, a lawful reason to process it and to only have it for as long as you need it.  You need to keep it securely, accurately and only use it for the specific reason you originally have it for.  Data subjects (those you have information on) have rights to their data and there are penalties for not complying with their wishes.  An ICO investigation is a thing to be avoided.  Believe me – they are thorough.

The ICO has been very busy investigating complaints and data breaches.  At the time of writing there has been over 60 monetary enforcement notices which heading towards £15M worth of fines not including British Airways (£485M) and Marriott Hotels (£94M) which aren’t finalised as yet and will be record breaking when they are.  Precedents are being set and we need to review these decisions regularly to ensure that we don’t fall foul of new ways of working.  Thinking selfishly, let’s learn from other people’s mistakes.

Yet it’s not always about the money.

Individuals have been found looking at personal data that they had no right to do so such as nurses and doctor’s receptionists.  The fines were relatively small but the damage to a person’s reputation I expect would be irrecoverable.  There is no price for trust.

Many of the complaints are concerned with marketing, where emails were sent or phone calls made where people had opted out and did not wish to be contacted in this way.  Rude and selfish, these are unlikely to make a good foundation for a sale.

Some people still think that the GDPR doesn’t apply to them, in the majority of cases if you have supply customers with good and services its very likely that it will.  If it forms part of a filing system and isn’t for personal use then it applies.

The whole idea of it may seem bewildering yet there are lots of resources out there to help you.

There are tools such as data flows to see how information wanders around your business world, legitimate interest assessments to check on your marketing activities and data protection impact assessments that can look at and reduce your data risks.  The ICO website:  https://ico.org.uk/ can help you too.

GDPR doesn’t have to be complicated – that I promise!

Louise is an experienced GDPR Practitioner and Commercial Manager with a background in law and quality management.  She helps numerous sole traders and small to medium business to simplify their data, introduce data protection by design into their planning and avoid fines.

If you want a free GDPR health check please do get in touch: https://trustedcompliancesolutions.co.uk/contact