Essential GDPR resources for businesses

Jennifer Hall, Thursday 22 February 2018
6 min read time

A desktop containing a notepad with GDPR written across it, a calculator, a coffee and a doughnut.GDPR, which stands for General Data Protection Regulation, is something most businesses will be aware of by now. And the clock is ticking, in terms of compliance.

The new regulation has been developed by the European parliament and comes into force on 25 May 2018. It affects any business that is operating in the EU, whether the company is physically located there or otherwise.

Why is GDPR being introduced?

GDPR is designed to increase and protect the rights of EU citizens by setting out strict rules around the use of ‘personal data’ – from how it is collected, to how it is processed and how long it is held.

The regulation has been created, in part, due to the many digital advances that have been made in recent years, particularly when it comes to the web, apps and social media. These types of developments simply didn’t exist before and are evolving at such a rate that current data protection laws are inadequate to deal with them. GDPR aims to catch up the regulation with the technology.

It builds on existing data protection rules, but is far stricter and more detailed, including in how it defines personal data. Responsibility is placed firmly on the company, when it comes to proving that its actions are compliant. There are also strict timeframes within which firms must act, such as when an individual requests their personal data is erased.

The potential penalties for non-compliance are severe. Firms who break the rules could be hit with a maximum fine of up to £20,000,000, or 4% of worldwide annual turnover, depending on which is higher.

What is classed as personal data?

At the heart of GDPR is personal data and what is classified as such goes far beyond that of previous data protection laws. In the eyes of GDPR, personal data is anything that can directly or indirectly identify an individual.

This includes name, email address, bank details and photos. It also covers work email addresses, if they can be used to identify a specific person (so generic addresses such as info@ will be exempt, whereas Tom.Smith@ would be classed as personal data).

If an individual can potentially be identified by a pseudonym, username or other unique handle, then this data will also now be protected under GDPR.

What are your responsibilities under GDPR?

If you are already complying with the Data Protection Act, then you’ll be well on your way towards compliance with GDPR. There are, however, some key differences.

When holding personal information, you must ensure:

  • You have a lawful basis for processing the data
  • Data is processed for a specific, explicit and legitimate purpose
  • All information held is relevant for the specified purpose
  • All data is accurate and up-to-date
  • You do not keep data for any longer than necessary
  • Data is processed lawfully, fairly and in a transparent manner
  • Information is handled and processed in a way that maintains security
  • Consent has been obtained for any new and existing data that you hold or process

To help you ensure your business is compliant, we’ve broken the process down into 12 easy steps. You can download your free checklist here: 

 

New Call-to-action

Existing data

The last point about existing data is an important one.

GDPR rules apply to any data you already hold. If it was obtained in a way that complies with GDPR, then great! You’re good to go. If it wasn’t gathered and recorded in a manner that complies, then you’ll need to act, or delete it.

For example, if you have an existing list of people signed up to your company newsletter. If you obtained explicit consent and have evidence of it, then your list is likely to be compliant.

If you haven’t got a record of consent being given, or if you used an automatic opt-in button or similar, then you will need to gain consent again. Make sure you do so in a way that fully meets the new requirements, otherwise it won’t be lawful for you to use it.

Legally acceptable reasons for processing personal data

GDPR specifies six legally acceptable reasons for which personal data may be processed. They are:

 

1. Consent for a specific purpose

For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. It must be given for a specific reason, with separate consent sought for separate actions. If services are being offered to children, then parental consent will be a requirement.

 

2. Contractual necessity

You can lawfully process data if you have a contract with the individual and you need to process their personal data in order to comply with your contractual obligations. This option also covers applies if you don’t yet have a contract, but have been asked to do something that requires you to process their personal data, such as producing a quote.

 

3. Controller’s legitimate interest

Legitimate interest is the most flexible lawful basis. To use it you will need to prove that there is a legitimate interest, (basically a good reason why) the processing is necessary. This must be balanced this against the individual’s interests, rights and freedoms. You must include full details of your legitimate interests in your public-facing privacy policy.

 

4. Controller bound by legal obligation

You can also process personal data if you are required to do so to comply with a common law or statutory obligation. This doesn’t, however, apply to contractual obligations. If you can reasonably comply with a law without processing personal data, then this basis won’t apply.

 

5. To protect vital interests

This only applies to organisations who are required to process data to protect someone’s life. For example, if providing emergency medical care. Even in these cases, if the individual can provide consent, then it must be sought. 

 

6. Public interest or official duty

This lawful basis allows you to process personal data on individuals if the task is in the public interest, or if you are required to perform a function that has a clear basis in law.

Individual rights

Under GDPR, individuals have much stronger rights and greater control over their personal data and how it’s used.

Individuals need to agree to their information being gathered and to exactly what it will be used for. Records must be kept of this consent, to prove it has been gained lawfully.

They can then request that any data you hold be amended, updated or erased at any point. They can object to the gathering or processing of their data, and withdraw their given consent at any point. You’ll have just 30 days to comply with any such request.

Who is the ICO?

The Information Commissioner's Office (ICO) is the body responsible for overseeing GDPR in the UK. If an individual is unhappy and feels their personal information has been mishandled in any way, then this is where they can turn to for help.

In the event of a complaint, the emphasis will be on you to prove you have acted in a legal way and are compliant with GDPR rules. The importance of accurate record keeping is therefore vital.

For more information see the ICO ‘Guide to the General Data Protection Regulation (GDPR)

Complying with GDPR

So, where should you start?

The key thing is to understand the current situation and what data you are holding, then to implement any system changes that may be required.

It’s important that everyone within the business knows about GDPR and what compliance entails. It’s also advisable to give someone within the organisation responsibility for overseeing your GDPR compliance. This is a legal necessity if you have over 250 employees, but is good practice for any business.

 

We have also pulled together a handy infographic specifically for marketing teams that contains the key information they need to know about: 

 

GDPR-Factsheet.png

                                Download infographic in pdf format 

 

Plus, take a look at:


New Call-to-action

DISCLAIMER: Lead Forensics is a global market leading SaaS organisation.  We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force.  Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR.  If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk

Topics: GDPR compliance

Other blog posts

How to work with lead generation companies to improve pipeline results

 

 

Nobody knows your business like you do. The passion you have for your brand message and product will always be best shared by your team. But that doesn’t mean working with a lead generation company to outsource leads has no place in your business pipeline; these companies can bring your results a much needed boost or help your team through a slump.  Let’s discover why you might choose to work with a lead generation company, and how you can ensure the best lead results for pipeline success. 

Read More

Choosing the right lead generation service for your business

 

 

We all understand how important lead generation is to business success; it’s a process we’re keen to perfect with the aim of gaining exceptional results. Many businesses turn to a lead generation software, hoping their services will help streamline processes and provide the desired increase in results. But how can you know if a lead generation software service is right for your business? And how do you choose the right solution? Here’s a few ideas to get you started, helping you choose the best lead generation service for your business needs. 

Read More

Lead generation software: Our 5 top picks

 

 

B2B lead generation is an essential element to every marketing and sales process, contributing hugely to overall business success. This vital process requires an intricate strategy, outlining channels and methods used to gather the number of leads needed whilst ensuring they’re of appropriate quality for your business and product requirements. These processes are all made simpler with lead generation software. With so many varieties to boost a number of channels for increased conversion results, we’ve narrowed down our top five lead generation software solutions, all helping your team gain a bounty of new business opportunities.

Read More