GDPR Compliance. And the important stuff you’ve not been told

Mar 02, 2018 Paul Kelly Blog 0 comments

You probably know what the General Data Protection Regulation (GDPR) is, and are concerned about the £10million+ fines, compliance and its impact on your ability to market your business. We want to dispel the myths!

Companies are panicking and there’s no need. As the Information Commissioner says.

“This law is not about fines. It’s about putting the consumer and citizen first. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

When the GDPR comes into effect on 25 May 2018, marketers in the EU (or serving people in the EU) will need to be better aware of the privacy rights for individuals and the lawful grounds for processing their personal data.

There are six lawful grounds for personal data processing one of which is (your) ‘legitimate interests of the controller or third party’.

The GDPR specifically states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’

So does this mean that you don’t need to go through the process of getting individual consent again for your direct marketing? Well, yes, if you can demonstrate that legitimate interest applies.

Of course, any individual can object to your direct marketing and it is critical that it is easy to activate with an unsubscribe link or by contacting you directly to request.

GDPR does not list all circumstances in which legitimate interests may apply, but your interests may not override the interests or rights of individuals.

Fundamentally you have a legitimate interest in communicating with customers and lapsed customers. Although they too can object and would need to be removed from your mailing list.

You should also be able to demonstrate a legitimate interest in communicating by direct marketing IF your audience is relevant to your services AND the information that you share is of use, valuable or of interest to them. In other words, you should not pump out ‘sales messages’, but instead buy valtrex online australia position yourself as the expert and a source of useful information.

Your privacy notices must provide clarity. For example.

We process personal information for certain legitimate purposes, which include some or all of the following:

  • to enhance, modify, personalise, or improve our services/communications for the benefit of our customers
  • to better understand how people interact with our website and communications
  • to provide communications which we think will be of interest to you
  • to determine the effectiveness of promotional campaigns

Whenever we process data for this purposes we will always keep your Personal Data rights in high regard and take account of these rights. You have the right to object to this processing and if you wish to do so click here to unsubscribe. Please bear in mind that if you object, it may affect our ability to carry out the tasks listed for your benefit.

It’s still direct marketing, just more subtle.

The key with GDPR is to audit your compliance and document your rationale for Legitimate Interest. The four key steps are:

1. Nominate data protection officer

2. Data audit to identify:
Data collection point – What data is collected – Is an information notice or consent option provided
What personal information we hold – How is data used – Where it is held (what databases is it added to)
What data processing we do – Do we share any data externally – How long do we hold data for
When and how is data deleted

3. Conduct privacy impact assessment:
To identify gaps and risks of holding personal data –
Develop compliant service operation policies

4. Compliance steps:
Document data handling processes – Personal information register – Opt ins or Legitimate interest – Internal awareness and training – Document lawful basis for processing
Revise data protection and compliance processes – Issue data processor agreements (if necessary)
Implement consent strategy – Implement plan for ongoing compliance

If you are unsure about whether legitimate interests applies, or want to undertake a Legitimate Interests Assessment (LIA). You can find a template in this Data Protection Network
guidance document


The information provided in this blog and the opinions expressed represent the author’s personal views. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to GDPR, the Data Protection Act 1998 or any other statutory measures.

Related Posts

Sorry, the comment form is closed at this time.