Gavin Scruby, CIO at SmartDebit
The General Data Protection Regulation (GDPR) is almost here, and we are seeing its effects inveigling its way into everyday consumer life. Whether it is in our email inbox or on a social media platform, we are being prompted to review new privacy policies and give our consent to receive emails. The feeling of confusion among both consumers and businesses is real and powerful. The media is having a field day with GDPR-related stories, while others may be benefiting from providing additional legal consultancy. It is indeed a complex regulation though, so the confusion is understandable. Many businesses – especially smaller ones that can't afford compliance staff or don't have legal teams – rely on advice given to them by consultancies that may not entirely be as expert as they portray themselves. Be very aware. Indeed, this article itself shouldn't be seen as official legal advice. It is worth evaluating, however, the actions that are being taken as a result of GDPR myths.
Myth or fact?
Some businesses have gone to the extremes of wiping out entire mailing lists to reduce the risks associated with data, as in the Wetherspoons example. Is this really necessary for GDPR compliance? The simple answer is no. Businesses do not have to start from scratch in order to be able to send communications or marketing emails to their customers. What happened with this case is that the business in question (Wetherspoons) took the business decision of not using email as a method of keeping in touch with their customers. They decided that they do not want to hold any customer emails in their database. Although we cannot know exactly why they did this, it could be because they are unsure if they received clear consent to contact those email addresses;they do not want to risk being fined if a data breach takes place or mass emails are sent by mistake to customers.
Business-wise this could make sense for Wetherspoon as their brand is so strong that they may not necessarily need to use email marketing as part of their strategy. Understandable of course, but it also shows a lack of confidence in a company's existing data protection controls. GDPR is not a huge extension over the Data Protection Act, which people should be following already. If you handle large amounts of data and you are not sure where it came from, then going down the Wetherspoons way may make sense for your business; nonetheless, deleting all your data and starting from scratch is not what GDPR is about.
Getting fresh consent from your mailing list is another popular action that is overflowing our email inboxes. Although the GDPR sets the bar high for consent and it is vital that you check your company's records to ensure your existing consents meet the GDPR standard, obtaining fresh consent from all of your existing customers is nota GDPR necessity. If your mailing list consists of customers with whom you already have an existing relationship, who have either purchased goods or services from you, then it may not be necessary to obtain fresh consent. You also have to think twice before emailing your customers a long complicated email about opting in. Is the text easy to understand? Is it long? Do you have a mechanism in place for subscribers to unsubscribe? You may risk non-compliance anyway if the email is difficult to follow and the information is lost in a long email. Your customers need to be able to clearly understand what they are consenting to.
It is also vital to remember that consent is only one of the forms with which you are legally allowed to process data. There are six lawful bases under the GDPR: 1) consent, 2) contract, 3) legal obligation, 4) vital interests, 5) public task, and 6) legitimate interests. During your preparations to GDPR, you have had to understand why and how you are storing and processing data and identify which legal basis applies to your business. Therefore, if your business already has contractual legal basis with your customers, and that includes emailing them notifications about a service they have signed up for, then you may not necessarily need to get fresh consent to contact them, even if you want to offer a further service to them.
GDPR will evolve in practice; if not in word
Just as GDPR is building on previous data protection laws, GDPR will also evolve over time. This will apply to how the law is interpreted when court cases take place. We just don't know yet how case law will be applied. Nevertheless, just as the interpretation will evolve from court cases, your business will also need to continually be evolving with the GDPR. You can't just do the preparation, say you are compliant and sit back. The processes put in place due to the GDPR will have to be followed and adhered to. Just as with your preparation to implementation, you will have to:
- Know where your customer data is stored, and why
- Know how you store that data and how it is protected
- Be able to correct, and delete, the data if needed
- Delete any data that you identify as not being used
- Review third parties processing your customer data
- Be able to prove all of this with evidence.
If you have these checks and balances in place, then being compliant with GDPR will be far easier throughout your business' journey with data protection.
Don't let the law scare you. Take advantage of it to help you provide better customer service. People want to feel empowered and that they are in control of the personal information that companies hold about them. Being transparent about data protection, and following GDPR laws, should confirm that you are doing the right thing. This will be more to the spirit of GDPR than any box-ticking compliance regime, and will serve you far better with your customers.