Essential GDPR resources for businesses

Jennifer Hall, Thursday 22 February 2018
6 min read time

A desktop containing a notepad with GDPR written across it, a calculator, a coffee and a doughnut.GDPR, which stands for General Data Protection Regulation, is something most businesses will be aware of by now. And the clock is ticking, in terms of compliance.

The new regulation has been developed by the European parliament and comes into force on 25 May 2018. It affects any business that is operating in the EU, whether the company is physically located there or otherwise.

Why is GDPR being introduced?

GDPR is designed to increase and protect the rights of EU citizens by setting out strict rules around the use of ‘personal data’ – from how it is collected, to how it is processed and how long it is held.

The regulation has been created, in part, due to the many digital advances that have been made in recent years, particularly when it comes to the web, apps and social media. These types of developments simply didn’t exist before and are evolving at such a rate that current data protection laws are inadequate to deal with them. GDPR aims to catch up the regulation with the technology.

It builds on existing data protection rules, but is far stricter and more detailed, including in how it defines personal data. Responsibility is placed firmly on the company, when it comes to proving that its actions are compliant. There are also strict timeframes within which firms must act, such as when an individual requests their personal data is erased.

The potential penalties for non-compliance are severe. Firms who break the rules could be hit with a maximum fine of up to £20,000,000, or 4% of worldwide annual turnover, depending on which is higher.

What is classed as personal data?

At the heart of GDPR is personal data and what is classified as such goes far beyond that of previous data protection laws. In the eyes of GDPR, personal data is anything that can directly or indirectly identify an individual.

This includes name, email address, bank details and photos. It also covers work email addresses, if they can be used to identify a specific person (so generic addresses such as info@ will be exempt, whereas Tom.Smith@ would be classed as personal data).

If an individual can potentially be identified by a pseudonym, username or other unique handle, then this data will also now be protected under GDPR.

What are your responsibilities under GDPR?

If you are already complying with the Data Protection Act, then you’ll be well on your way towards compliance with GDPR. There are, however, some key differences.

When holding personal information, you must ensure:

  • You have a lawful basis for processing the data
  • Data is processed for a specific, explicit and legitimate purpose
  • All information held is relevant for the specified purpose
  • All data is accurate and up-to-date
  • You do not keep data for any longer than necessary
  • Data is processed lawfully, fairly and in a transparent manner
  • Information is handled and processed in a way that maintains security
  • Consent has been obtained for any new and existing data that you hold or process

To help you ensure your business is compliant, we’ve broken the process down into 12 easy steps. You can download your free checklist here: 

 

New Call-to-action

Existing data

The last point about existing data is an important one.

GDPR rules apply to any data you already hold. If it was obtained in a way that complies with GDPR, then great! You’re good to go. If it wasn’t gathered and recorded in a manner that complies, then you’ll need to act, or delete it.

For example, if you have an existing list of people signed up to your company newsletter. If you obtained explicit consent and have evidence of it, then your list is likely to be compliant.

If you haven’t got a record of consent being given, or if you used an automatic opt-in button or similar, then you will need to gain consent again. Make sure you do so in a way that fully meets the new requirements, otherwise it won’t be lawful for you to use it.

Legally acceptable reasons for processing personal data

GDPR specifies six legally acceptable reasons for which personal data may be processed. They are:

 

1. Consent for a specific purpose

For consent to be used as the lawful basis, individuals must give their explicit consent (not assumed through a pre-ticked box etc) and positively opt-in for their data to be held and used. It must be given for a specific reason, with separate consent sought for separate actions. If services are being offered to children, then parental consent will be a requirement.

 

2. Contractual necessity

You can lawfully process data if you have a contract with the individual and you need to process their personal data in order to comply with your contractual obligations. This option also covers applies if you don’t yet have a contract, but have been asked to do something that requires you to process their personal data, such as producing a quote.

 

3. Controller’s legitimate interest

Legitimate interest is the most flexible lawful basis. To use it you will need to prove that there is a legitimate interest, (basically a good reason why) the processing is necessary. This must be balanced this against the individual’s interests, rights and freedoms. You must include full details of your legitimate interests in your public-facing privacy policy.

 

4. Controller bound by legal obligation

You can also process personal data if you are required to do so to comply with a common law or statutory obligation. This doesn’t, however, apply to contractual obligations. If you can reasonably comply with a law without processing personal data, then this basis won’t apply.

 

5. To protect vital interests

This only applies to organisations who are required to process data to protect someone’s life. For example, if providing emergency medical care. Even in these cases, if the individual can provide consent, then it must be sought. 

 

6. Public interest or official duty

This lawful basis allows you to process personal data on individuals if the task is in the public interest, or if you are required to perform a function that has a clear basis in law.

Individual rights

Under GDPR, individuals have much stronger rights and greater control over their personal data and how it’s used.

Individuals need to agree to their information being gathered and to exactly what it will be used for. Records must be kept of this consent, to prove it has been gained lawfully.

They can then request that any data you hold be amended, updated or erased at any point. They can object to the gathering or processing of their data, and withdraw their given consent at any point. You’ll have just 30 days to comply with any such request.

Who is the ICO?

The Information Commissioner's Office (ICO) is the body responsible for overseeing GDPR in the UK. If an individual is unhappy and feels their personal information has been mishandled in any way, then this is where they can turn to for help.

In the event of a complaint, the emphasis will be on you to prove you have acted in a legal way and are compliant with GDPR rules. The importance of accurate record keeping is therefore vital.

For more information see the ICO ‘Guide to the General Data Protection Regulation (GDPR)

Complying with GDPR

So, where should you start?

The key thing is to understand the current situation and what data you are holding, then to implement any system changes that may be required.

It’s important that everyone within the business knows about GDPR and what compliance entails. It’s also advisable to give someone within the organisation responsibility for overseeing your GDPR compliance. This is a legal necessity if you have over 250 employees, but is good practice for any business.

 

We have also pulled together a handy infographic specifically for marketing teams that contains the key information they need to know about: 

 

GDPR-Factsheet.png

                                Download infographic in pdf format 

 

Plus, take a look at:


New Call-to-action

DISCLAIMER: Lead Forensics is a global market leading SaaS organisation.  We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force.  Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR.  If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk

Topics: GDPR compliance

Other blog posts

How to ensure your business leads are top quality

 

 

A good-quality business lead has an interest in your brand and a genuine need for your product, meaning they’re more likely to become a new client. These are the leads you want to continuously generate. Lower-quality leads who come fuelled with questions about your product are hit-and-miss, due to their lack of product appropriacy and understanding. To ensure your B2B lead generation brings results that benefit your whole organization, you need to first ensure you leads are top quality. Here’s how… 

Read More

Best practices for business lead generation

 

 

Your lead generation strategy is paramount to your business success. Generating business leads offers new opportunities to grow your client base and expand your organization’s horizons, it’s the backbone of business growth. Once systems are in place, it’s easy to switch on autopilot and churn out the same tactics continuously yielding a similar result. But to see B2B lead generation success and continue growing your organization, we need to put the care back into our efforts. These best practices will give your business lead generation a new lease of life, helping you achieve the outstanding results your business deserves. 

Read More

Business lead qualification: 12 questions you need to ask

 

 

Business lead qualification is a vital part of the B2B lead generation process. Without properly qualifying leads, your sales team will struggle to convert them successfully into high-quality, retaining clients. Leads are often qualified with specific questions that access how well suited a lead is to the product or solution in question. But how should we approach lead qualification, and what sort of questions should we ask? The questions chosen for business lead qualification heavily effect their sales pipeline progression, so you need to choose correctly. Here are our 12 favourites to get you started… 

Read More