The 3Ps of GDPR – Q&A
In our latest webinar with InPublishing, Hellen Beveridge covered the 3Ps of GDPR – Personal Data, Processing and Permission. Here she answers some of the questions there wasn’t time for and gives fuller answers to some of those she did.
Q: How do you research data in a GDPR-compliant way? For example, from contact data in websites or directories?
A: It is still OK to research data – what you do with it once you have collated it is the important question.
When you collate the data, you need to record all of your sources. You then have 28 days from when the data enters your database to contact the person concerned and tell them you have their data, where you got it from and give them access to a copy of your privacy statement.
Once the data is on your database and you have done this, you have to have a clear plan as to how long it is going to stay on your database (retention period). You cannot keep it indefinitely nor contact the individual concerned indefinitely.
Q: Is there a danger that this becomes like Y2K – I’ve had a number of ‘consultants’ offer to ensure our laser printers are GDPR compliant etc. which seems like a ruse…
A: GDPR isn’t like Y2K because there isn’t a ‘D-Day’ moment where the worry is that everything will fall over. In some ways, it is much scarier than Y2K because it penetrates into the very heart of your business – changing the perception of yourself as the data owner into the data custodian. There aren’t any purely technical solutions that will make you GDPR compliant, the only action you should take to the laser printer approach is to ask yourself why someone thinks your current laser printer wouldn’t be compliant. It illustrates the very granular nature of the legislation because what this says is – do you know what data your laser printer is storing and do you need to keep records of this under Article 30?
Q: How far and wide does our due diligence need to go? If we check out our data, and then our largest suppliers, do we need then need to check our suppliers’ suppliers? How far does it mushroom out? Where does our responsibility end?
A: The simple answer is that your responsibility ends at the point where it would be unreasonable for you to continue, i.e. your responsibility extends to the contracts which you personally negotiate.
When you engage a Processor (supplier) to carry out tasks for you, this needs to be done under the conditions laid out in Article 28. In paragraph 4 of this article it clearly stated that if a Processor engages a sub-processor to undertake some of this work, then the latter has to be covered by the same contractual agreement as exists in the first instance. The Processor needs to tell you and be aware that if the sub-processor fails to fulfil its data protection obligations then they are fully liable.
Q: Our online subscription product is sold through distributors, so we do not always have a direct relationship with our customer. Would contacting the customer by email to provide free resources to help them use our product (such as training and promotional materials) be classed as legitimate interest?
A: Let’s just unpick this for a moment. Your product is sold through a distributor – so you are the Controller of the data and the distributor is the Processor. Therefore any data collected in the performance of the contract between you and the subscriber is your responsibility (think of the distributor as a mailing house).
Given that you have a proven relationship with the subscriber and what you would be supporting/enhancing their subscription with the advice you are giving them, it would seem appropriate to manage this part of the relationship using legitimate interests. However, you must make sure that individuals can opt out of these emails at any time, and also make sure that you are compliant with PECR legislation (which will include defining whether this is B2B or B2C data).
Q: Email addresses are frequently used in the subscription renewal process. Are personal and work email addresses viewed differently under the new regulations?
A: Essentially no. All data is now considered equal regardless of the context in which it was collected. There is a difference in the way email is treated between B2B and B2C (ie. the soft opt in) which is covered by the PECR.
Q: What must we tell people when we ask them to complete demographic profiling questions? Do we have to say we are going to use this to analyse our customer list…send you content most relevant to you? What is the best way to say this and can we have this in Ts and Cs or does it have to be on the same page as the data collected?
A: You need to tell people why you are asking them profiling questions at the point where you ask them. ie. before the first question and you must give them the opportunity to opt out of having the information they give used for these purpose. You can’t bury this in your T&Cs.
For example, you might need to ask specific questions in order to work out if someone is eligible to receive a controlled circulation magazine so you make them compulsory, but they might not want you to target them for marketing purposes, so they need to be able to opt out of this.
Q: We have built a first party database with opt-in pre-ticked Do we have to start building this database all over again or go back for permission?
A: Firstly, any data you have permissioned with pre-ticked boxes is not compliant with GDPR (Recital 32) so post May 2018 you cannot use it legitimately.
Within the lifecycle of your data, you will need to re-permission that data which you have legitimate grounds to retain. However, be very careful. Do not try to re-permission anyone who has already opted out of receiving messages from you, particularly via email, as permissioning emails are considered to be marketing and you would fall foul of sending out unsolicited messages on a large scale.
Q: Is collecting email addresses (business cards) at exhibition, which we then use for marketing, considered a soft opt in?
A: Generally speaking ‘soft opt-in’ is used in reference to the PECR and emailing to B2B data. When you collect email addresses and business cards at an exhibition you become the Controller of the data and therefore it is incumbent upon you to manage it in a GDPR compliant manner. For example – what is the person who gave you that information expecting you to do with it in the context of the exhibition? You cannot collect business cards in a goldfish bowl to add them to your marketing database if people were putting them in there to enter a competition. You would have to have a mechanism for permissioning that data for marketing purposes.
Q: What is PECR?
A: PECR are the Privacy and Electronic Communications Regulations (full title The Privacy and Electronic Communications (EC Directive) Regulations 2003) and European Directive 2002/58/EC – sometimes known as the ePrivacy Directive.
Essentially, PECR sets out extra rules for electronic communications which you have to apply in conjunction with the relevant data protection legislation.
Q: Is there going to be a consumer awareness campaign (TV, radio, print ads etc) next May to let the general public know about their new rights over their data?
A: Yes – the campaign is due to begin on 28th January 2018.
There is such a lot to think of in GDPR that it is really important to make sure that you are getting right down into the granular detail. If you have more questions, please do contact Hellen.