GDPR or General Data Protection Regulation is the hot topic at the moment and all businesses need to be accountable for the safeguarding and use of their clients’ personal data. From a marketing perspective, we need to follow several rules on how we use data, what we use it for and how we manage that data.
I’m no GDPR expert but I have been listening to the topic intently over the past two years. I know the ins and outs and the general rules. However, I wanted to answer specific questions for you, give you an idea of what to do and what not to do. Sounds great, doesn’t it?
I searched high and low throughout the internet for questions like “What do I do with my current mailing list”, “what happens if I get reported?”, “what happens to me if one of my vendors or suppliers is in breach?”. However, no matter how hard I tried I just could not find the answers. After a little legwork I decided to collect your questions, some from conversations I’ve had with business owners, others from my classes and finally some from a number of social media shout outs – oh my god, this got a lot bigger than I intended it to be.
I manage to get in touch with Hugh Jones, Chief Privacy Officer, from Sytorus a Dublin based company who is a “leader in pragmatic Data Protection deployment”. Asked Hugh would he mind looking at your questions and he was more than happy to share his knowledge and answer them and in fantastic detail. (I’ve tried to categorise these, but it’s a little on the loose side as I wanted to keep your questions intact)
Email and Marketing
Q1 – I have loads of emails I’ve collected over the years from sales. Can I email all these people and get them to sign up for a newsletter?
This depends – on what basis did you get the e-mail address? In what circumstances? How clear was it made to the individual that they could expect to receive a newsletter from you? Under the GDPR, any consent to receive marketing material will need to be evidenced, demonstrating that the consent was informed, specific, unambiguous and freely given. Ideally, you will need to be able to show an ‘active indication’ of the individual’s consent. This is a much higher threshold than currently.
If the e-mail address is from a business source, then it is permissible to simply add them to your distribution list – this is considered B2B, and has a lower threshold for consent.
If, however, it is the personal e-mail address of an individual (B2C), you can only continue to use it for newsletter or marketing purposes if you have acquired it within the past 12 months;
Since the 2011 Electronic Communications Regulation, consent for marketing has a ‘shelf life’ of 12 months, which means personal data must be used at least once within the 12 months following the acquisition, and at least once in each 12-month period thereafter;
Furthermore, each newsletter, whether B2B or B2C, which you send must remind the recipient, within the text, that they have an option to opt out at any point from receiving further newsletters.
So, if they introduce a new topic of newsletter (e.g. they fashion edition and the home edition) can they email the current list with this or do they need to inform them of the new topic and offer to sign up or can they do this at all?
The DP legislation requires that your use of the personal data should be fair, and should only be for specified and lawful purposes (Rule 2 currently, Principle 2 of the GDPR);
Therefore, (you will get tired of me saying this) much depends on the expectations you gave them when they provided their contact details – if you kept it generic (e.g. “would you like to receive our Newsletter?”, then an expansion of scope and topic is fine since they have no specific expectation re content;
If however, you set their expectation more specifically (“Would you like to receive our Sports/Lifestyle/Gardening/Political Satire Newsletter?”) then a change in direction is not going to be appreciated.
In the latter circumstances, we recommend seeking separate, prior consent for the new content/material.
The DP Commissioner is obliged, by law, to investigate each and every complaint – they do not wait for a quorum or a substantial number to build up. Therefore, you will always want to avoid a situation where the recipient feels that you have exceeded your brief, or made assumptions on their behalf, and the legislation supports them in this.
Q2 – Do you need to inform them of the frequency of mailing and then stick to it rigidly, some small businesses will email a few times, leave a 6-month break and get back into it. – how long can they keep the emails?
You’ve guessed this answer already! – Much depends on the expectations you have set – the legislation makes no reference to frequency – all focus is on ‘fairness’ – i.e. set reasonable expectations regarding your use of the data, and remain consistent with those expectations.
We often add new services or need to contact customers about maintenance, we would like to inform our customers about this, can we email or text them these updates?
The legislation distinguishes between marketing and servicing messages – where the information relates to the maintenance or administration of a service for which they have signed up, then such messages do not require prior consent – but you must be careful to stick within the scope – do not try to ‘piggy-back’ marketing content within what is intended to be a servicing message – that would be seen as unlawful and likely to draw the attention of the Office of the DP Commissioner (ODPC).
If maintenance/servicing messages are a feature of the service you offer, make this clear to the client/subscriber/recipient as early in the relationship as possible, in order to set their expectations and to distinguish from other messaging.
Q3 – We do loads of surveys, where we collect demographics and other information on our customers so we can deliver correctly targeted ads. How long can we keep this information, how do we have to store it and is it transferable from each campaign?
We recommend that surveys are anonymised, unless it is absolutely necessary to be able to respond to or follow up with the respondent. There is no retention schedule specified for survey details, so it is at your own discretion regarding how long you consider the demographic information represented in the survey response will remain valid, accurate, current, relevant, etc.
Q4 – What are the requirements for signing up for marketing emails, text messages and phone calls?
Since 2011, the requirement for appropriate consent for electronic marketing is that the individual must give prior consent;
Under the GDPR, where consent is the basis for processing, it must be clear, informed, freely-given and unambiguous – preferably involving an active indication of their preference – e.g. a ticked box, signature or some indication of their willingness to be contacted. Silence or failure to opt out cannot be interpreted as an opt-in.
For postal marketing, there is no requirement for prior consent;
Each message must remind the recipient that they have the option to opt out from receiving further messages in the future;
Under the GDPR, where a recipient opts out from receiving such messages, their data must be updated as soon as possible, but within a max of 30 days to ensure that they are not included in any further campaigns.
Q5 – What do I need to show and how do I prove that someone signed up to a mailing list?
Ideally, record the time and date, as well as the circumstances under which they signed up – e.g. as part of a campaign, as part of a competition, a business card at a conference, etc.;
There is no requirement to have a scanned image, or a signature, or a voice recording!
Q6 – We use competitions at trade shows and events to gather email addresses and phone numbers for marketing is this ok and what should we do with the forms after we’ve entered the data?
We are talking about two purposes here – a) the administration of the competition and awarding of the winner, and b) the inclusion of the entrant data into the marketing distribution list – these need to be made clear to the entrants, and should not be assumed.
The GDPR requires that consent is freely given and unambiguous – a ‘soft opt-in’ through a competition would be seen as placing a condition on the entrant, (i.e. being added to our marketing list is a condition of entering the competition) and this would not be considered fair or reasonable;
If you choose to run a competition, it should not automatically mean that all entrants are added to the marketing list – there should be a separate opt-in for marketing consent;
Sharing Data With Employees and Third Parties
Q7 – Our drivers need to contact customers for directions or text them to tell them they are late, is this a GDPR breach?
No, this communication would be seen as ‘servicing’ of the commitment to deliver the package/product efficiently. As long as the data is acquired solely for that purpose, and is only then used for that purpose;
Client details provided for the delivery of the package should not automatically be added to the marketing distribution list unless clear, separate consent is acquired;
We strongly recommend that drivers delete the numbers from their phones once the package has been successfully and verifiably delivered since there is no further use for it (again, Specific Purpose as mentioned above).
Q8 – Am I able to share addresses or phone numbers with couriers and shipping companies or is this risking a breach?
Certainly, but only where you have already established a Data Processor Agreement with this third-party service provider. A standard contract must be in place between you (the Data Controller) and the third party before any such data is disclosed or shared.
Providing personal data on customers to a third party without such a contractual arrangement in place would be a breach of your DP obligations;
In turn, if the courier sub-contracts work to a ‘final mile’ delivery service, it will be the responsibility of the courier to ensure that an equivalent contract is in place with this sub-contractor;
(Templates available from Sytorus if required.)
Storage and Retention of Data
Q9 – How long can we keep information on clients, and like our accounts are there a number of years we have to keep records before we dispose of them.
There are several pieces of Irish legislation which stipulate different retention periods for different categories of personal data – unfortunately, the DP legislation is not one of them – it is the responsibility of the Data Controller to know which legislation applies to their respective business operations, and to comply with these durations as a minimum;
Thereafter, the organisation can decide to keep data for longer if there is an operational need, etc., but must remain fully compliant for such data (against all seven of the DP Principles) for the duration of the time it is retained;
Destruction, anonymization or return of the data absolves the Data Controller of their obligations at the end of the retention period;
A generic retention schedule ‘Starter for Ten’ accompanies this document, but ultimately, it will be the responsibility of the Controller to determine an appropriate retention period for each category.
Q10 – I have an enormous amount of hard copies of invoices and other data on clients, what do I need to do with these and should I be concerned about passing these over to people like our accountants or solicitors?
The previous answer applies with regard to how long to keep the records (regardless of whether in automated or manual format.
As third party service providers, the accountants, auditors, solicitors, marketing companies or data centre hosts are all considered third parties (Data Processors) under the DP legislation.
Therefore a separate, formal contract must be in place with them which will set out the parameters of what they can and cannot do with personal data during the course of their engagement and professional services.
Q11 – My clients fill a form when we start working together and when we finish and we stay in touch via email in between consultations – personal data and information are included in forms and email, will I be required to ask permission to keep/delete them? Will I be required to write for how long their information will be stored? Will it still be ok to use this kind of online forms? (I now say that information will be stored for professional use only and not shared with third party etc..)
In the interests of transparency, it would be advisable to have a Privacy Statement setting out clear expectations re your intended use of their data;
You would be expected to provide them with a copy of any and all information which references them, in the event that they request it (a Subject Access Request), even where they might have contributed to the material themselves;
Keep the data for as long as necessary for the purpose for which you have it, e.g. the professional relationship, plus some time to allow for claims, complaints, follow-up, etc.
GDPR Breaches and Making Mistakes
Q12 – What happens if I make a mistake and get reported, what are the steps, do we get warnings and guidance? Is free guidance available? How many people does it take for me to get picked up?
Normally, the ODPC will initially seek an explanation as to why the error occurred, and what you are doing to fix it – if it is contained, usually no further action;
Where it impacts on the privacy of an individual (if, say, their personal data is compromised, lost, disclosed to someone else, etc.) then the ODPC will require you to engage with them, explain, apologise and make amends.
If it goes no further, and the ODPC is happy that reasonable steps have been taken to prevent a recurrence and to ‘make good’, it usually ends there.
If, however, an organisation is a persistent offender or fails to engage with the ODPC, fails to apologise or acknowledge the error or breach, then the ODPC will escalate through her powers, in the form of formal notices, or ultimately, prosecution.
A breach can be one incident, involving the personal data of one person – as mentioned previously, the ODPC is obliged by law to investigate every complaint.
Under current legislation, the obligation to notify the ODPC arises when more than 100 records of ‘ordinary’ data are compromised/lost/stolen – e.g. names, addresses, e-mail, mobile numbers, etc.), or even one record of sensitive personal data (medical, religious, criminal, etc.).
The obligation to notify the ODPC only arises where the device on which the data was stored was not encrypted – if the lost device was encrypted, no obligation to notify;
Obviously, where paper records are compromised, there is no exemption for encryption!
Q13 – How is the DPC (Data Protection Commissioner) deciding on what businesses to investigate and do they have a kind go a hierarchy, basically do they treat smaller businesses with a little more ‘kindness’ than a large organisation?
They have, in the past, gone after the Gardai, Insurance firms, public bodies, hair salons, GP Practices, Nail Bars, and SME’s – no-one is safe (or everyone is in the same boat)!
Q14 – What is your liability and responsibility when a third party service provider loses your customers data? For example, a lot of businesses use MailChimp, if they get hacked, what are your responsibilities and liability?
As the Data Controller, you have full responsibility for what a third party does with your data. You can transfer some of that liability onto the third party through the Data Processor contract, but ultimately, the Controller has the primary obligation to be compliant.
This is why the Data Processor Contract is so important – if gives the Controller recourse in the event that the third party (or a sub-contractor) causes a breach, leading to reputational or financial damages.
Other GDPR Questions
Q15 – I have a Wedding Stationery business and do wedding fairs, any samples I have made has info on it such as the details of the wedding, the couple etc. can I use these and also can I use them on Facebook website etc?
Only where you have the permission of the couples to do so – it is a small island, and there is a real risk of disclosing images, information, etc. on people to someone who might know them, the family, etc. Our recommendation would be to remove or change personal references and to use stock or staged images, not actual footage from an actual wedding.
Also, how do I go about protecting my client’s information do I need to let them know what I will be doing with it, and that it will be for my use only and not distributed to a 3rd party
If you are using it as promotional material for your business, plenty of third parties (i.e. other couples) are going to see it! You must have the permission of the couple before using their images or material which refers to them by name.
Bear in mind that some images of the wedding ceremony or event may disclose information on a person’s religion, ethnic identity, etc. – sensitive information which has an additional level of protection under the legislation.
Q16 – We use influencers and other businesses to help us with marketing and brand advocacy. We often contact these people through their social media accounts, websites and blogs to help us with our marketing. Some of these people would be professionals and some of them would be people who do it for fun, is this something we need to reconsider now?
No, if they have ‘put themselves out there’ as influencers, then their contact details have been ‘manifestly made public’ by themselves, so there is a very low expectation of privacy. If they then, in turn, tell their ‘followers’ about your product or service, it falls within the expectation of the followers because they have signed up for just such information, so no harm, no foul.
The only way in which this might arise in the DP space is where influencers seek to pass off advertisements and advertorials as a personal comment or social media exchanges – in the interests of fairness and transparency, sponsored messages need to be identified as such.
Q17 – Our company often poaches employees from LinkedIn or from their email addresses, is this ok?
No – the clue is in your question: ‘poaching’ implies that the individual is not aware that you have harvested their data, and are planning to use it;
Under the GDPR, consent for the use of personal data must be freely-given, specific, informed and unambiguous, and involve an active indication of the person’s preferences – if the data is acquired without their knowledge, you will not be able to cite evidence of their consent, therefore there must be some prior indication before that data is used;
The intention of this criterion is to do away with cold calling as a marketing approach and to increase the level of control which the individual has over how their personal data is being used.
Q18 – I’m in the UK and I’m confused about the need (or not) to register with IOC. I hold name and email solely to send out my weekly newsletter.
Very topical! Under the GDPR, the obligation to register as a Data Controller or a Data Processor will be removed. However, the ICO has recently issued an update stating that, under new legislation currently before Parliament, organisations who meet certain criteria will still be required to register with the ICO, and more importantly, to pay an annual fee!
The fees are:
Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit)
Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60
Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900
Q19 – Is there any software packages that you would recommend that a small business use that would help with all the data management?
Not that I am aware of, sorry. Sytorus offers Privacy Engine at an SME rate, happy to discuss that or provide a demo on request, but may not be appropriate for one-(wo)man bands and smaller organisations.
I think we can safely say that Hugh has been amazing at answering your concerns and questions, thank you so much for your help here and organising responses so quickly. The threads that I put on several social media platforms have continued to collect questions so we will try to deal with more of these in the near future.
If you want to know more about GDPR Sytorus have an amazing blog and tonnes of resources on their website. You can also follow them on LinkedIn or Twitter for more updates.
Hugh Jones, Chief Privacy Officer at Sytorus Ltd., specialised in the world of data protection compliance long before data was discovered to be the ‘new oil’. He is a co-founder and director of Sytorus, which was formed in 2011 as a specialised provider of Data Protection training, guidance and assessment services, based in Dublin, Ireland. Since 2014, he has been COO at Sytorus, as well as continuing to deliver some of our training and consultancy services.