By Tony Dent
There’s a lot of ‘hype’ around about the forthcoming data protection rules. Much of which is designed to frighten businesses into using expensive consultants! However, 95% (or more) of businesses will NOT need to appoint a DPO (data protection officer) nor will they need an elaborate web-based, ‘permission’ compliant, opt-in registration system.
What you can do now
What businesses will need is sensible systems that define how they are operating their marketing and administrative activities (including HR). They will also need to maintain records that demonstrate that they are adhering to those systems.
A further precaution is to ensure that their marketing activities will only use ‘personal data’ from legitimate suppliers. The purpose of the act is to protect individual privacy and ensure that personal information is not abused. So, whenever you are seeking to ‘target’ specific groups of people such as cat owners, or parents of primary school children you must always have permission from those people to contact them. In general, that will mean obtaining a list from a bona fide data owner who will have obtained such permissions. Otherwise, you will need to do that yourself!
What is Personal Information?
Of course, contact information of a named individual (email address, telephone number, postal address) is also deemed to be ‘personal’ information. But, in many cases such information cannot be considered to be genuinely private because, by its very nature it will have been shared with quite a large number of people.
And ‘legitimate interest’?
It is therefore doubtful that any business will be fined simply because they have used a contact address for a legitimate purpose, whether with or without the address owners’ permission. In fact the term “Legitimate interest” is used in the act in such a way that it can provide you with the right to contact some individuals who have not provided you with specific consent to do so. However, you should only make contact when you have good reason to believe that they will have a genuine interest in your business offer and have not subscribed to a preference service or indicated their disinterest in marketing communications in some other way.
Good practice – provide an opt-out
It will remain good practice to ensure that all your communications will provide an ‘opt out’ opportunity for all recipients. So you can continue to use your business card list other than those who have said ‘please don’t contact me again!’
Create a rule book
In summary, whatever your business, you should create a short GDPR rule book which every member of your staff is familiar with. This should describe how you record details of the consent provided to you by any individual and under what circumstances you may choose to use legitimate interest as your justification for processing. The rules should also cover how you record the withdrawal of consent from any individual and the process for providing SAR’s (subject access requests).
What you can do tomorrow
We believe that it will be important that you should publish your rules once you have established them. That way everyone knows what you do and how you do it!