GDPR question time with Insight Data

Insight Data delves into the new General Data Protection Regulation (GDPR) and answers the most common questions regarding the new data regulations.

On 25th May new data protection rules come into force affecting every organisation in the UK. The rules are designed to give individuals greater control over the personal data companies hold on them and what they do with it. Companies who breach the new rules can be subjected to significant penalties, with maximum fines up to €20million or 4% of annual global turnover, whichever is the greater.

Industry experts Insight Data have been tracking the developments and implications of the General Data Protection Regulation (GDPR) since it was first proposed in 2012.

What is the purpose of the new data regulations?

Data Protection graphic

The last major overhaul of data regulations was 20 years ago, before Google, Facebook, Apple and other technology companies collected and processed the personal data from millions of people.

In the UK we relied on the Data Protection Act 1998. However, with inconsistencies on data protection across member states of the EU, leaders from the European Parliament, Council and Union have come together and developed a new standard for the collection, storage and processing of personal data.

What is required to comply with GDPR?

If you hold any personal data – from employees to the names of your customers – it would be wise to conduct a DPIA (Data Protection Impact Assessment) or Audit and clearly document the personal data you hold, how and when you collected it, and how it is used.

You will also need to have a clear privacy policy, be able to show a legal basis for processing the personal data you hold, and have procedures in place to detect and report on a data breach (such as a computer hack or data theft by an employee).

The Information Commissioners Office (ICO) website provides further information on compliance.

Does GDPR just relate to marketing?

GDPR graphic

The GDPR specifically relates to the processing of personal data with emphasis on the ‘fundamental rights and freedoms’ of individuals known as ‘data subjects’. This includes how organisations collect, store, transfer or use personal data and includes, for example, employee records, supplier and customer information or prospects/sales leads.

Although the GDPR relates to personal data and not businesses, any data that can identify a ‘natural person’ will fall under the new regulations. This includes an individual’s name or email address even if they work for a limited company or LLP.

Will I have to have ‘consent’ to comply with the GDPR?

This is a cause for confusion with many companies. ‘Consent’ is one way to comply with the GDPR but there are in fact five other legal grounds for processing personal data, including ‘contract’ and ‘legitimate interest’.

For direct marketing to new customers, particularly business-to-business, legitimate interest will be the legal basis for processing personal data although organisations will need to demonstrate that they balanced the interests and rights of the individual. Legitimate Interest is outlined in Article 6(1)(f) of the Regulation, and Recital 47 of the GDPR states clearly;

“The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest”.

Can I continue to use my existing marketing/prospect list?

GDPR Checklist Graphic

To comply with the GDPR it is essential that your data lists are valid and kept up to date. You will need to document how you collected the contacts on your database and have procedures in place to regularly update the information to ensure the data is accurate.

For most companies collecting and managing your own marketing data list is likely to fall short of the new Regulation unless you invest heavily in regularly cleansing and updating it.

Insight Data marketing lists are continuously validated and updated and can help B2B suppliers in the glazing and construction industry comply with the GDPR.

Where do I go for advice?

Despite the hype and surge of so-called ‘GDPR Consultants’ and GDPR seminars there are in fact no qualifications or accreditations for GDPR and indeed the interpretation of the GDPR can very between so-called experts.

As the UK’s independent authority, the Information Commissioners Office (ICO) is the best source of information on GDPR compliance www.ico.org.uk

Insight Data also publishes information and guidance for B2B marketing, visit www.insightdata.co.uk for the latest updates.