Following on from our Guide to GDPR, we thought it would be useful to add some facts to help you understand the upcoming changes.
What is “personal data”?
Personal data is anything that can be used to directly or indirectly identify a person. As well as the obvious like email and a physical address, it also includes photos, IP addresses and bank details.
Do I need consent to store data in a CRM?
No, you only need consent from a person to communicate electronically with them – by email, SMS, fax or telephone. You don’t need consent to send them physical mail.
What will be the effect of Brexit?
Brexit will have no effect whatsoever. Firstly, GDPR comes into effect on 25 May 2018 and the UK will still be in the EC on that day. Secondly, the Great Repeal Bill, despite its name, will simply enshrine all existing EC legislation into UK law, including GDPR. Thirdly, the UK government has committed to comply with future EC legislation so that the UK can continue to receive data from the EC.
What about B2B marketing?
GDPR draws no distinction between B2B and B2C communications, and the definition of personal information would include a business email address. There are a number of opinions (or maybe wishful thinking!) that says the UK’s forthcoming e-Privacy Regulation may “clarify” (i.e. loosen up) B2B marketing. However, the draft legislation proposes that marketing to existing customers will be allowed only.
We won’t know for certain what will be in the final version of the regulation until it is passed by Parliament, and even then, some of the wording may be vague. Plus, we don’t have a date for when it will be passed. The most likely outcome will be that marketing to existing customers will be allowed without prior consent, but may be restricted to the products that they have already. Until we know the final legislation and it is passed, we have to apply strict GDPR and get consent from everyone before mailing them.
If somebody hands me a business card, is that consent?
No, simply handing over a business card does not give consent, and even if it did you’d have difficulty proving it.
How about data collected at trade shows?
Again, you need provable consent. Ideally, they’d fill in their details on a form and then tick a box and sign it.
How about sending transactional emails to our customers?
You don’t need consent to send invoices and other transactional emails to your customers. What the difference would be between a transactional email and a marketing email is not defined. Presumably you can tell customers more about the products they use, maybe not products they don’t. Maybe the UK’s forthcoming e-privacy regulation will clarify.
Do we need consent from each individual person at our client?
Yes, apart from transactional emails.
What happens if a customer gives us the contact details of their colleagues?
You still need consent from each colleague.
How about the existing contacts I have in my CRM?
Existing contacts are treated no differently from new contacts. Apart from transactional emails, if you don’t have consent you’ll need to obtain it if you want to mail them after 25 May 2018.
How do I get consent for my existing contacts?
The best way to gather consents from existing contacts is to send them an email asking them to access a web page and give consent. Contact us for more help on this >
Can I send an email asking for consent to somebody who hasn’t granted consent?
Up to 25 May 2018 you can send out as many emails as you like asking for consent. After that you’ll need either prior consent or a double opt-in.
What is Double Opt-In?
Double Opt-In is when a person fills in a form on your web site requesting to be on a mailing list, and you immediately send them an email asking them to confirm their subscription by clicking a link. It is marketing “best practice”, and avoids the possibility that somebody else would enter your email and sign you up without your permission.
What about contacts outside of the EC?
GDPR only applies to EC citizens. If your mailing list contains contacts in the US, Australia and Singapore you can email them without consent, subject to national legislation such as the CAN-SPAM Act in the US.
How does GDPR affect Executive Search and employment agencies?
You’ll need to be especially careful about storing their personal data and how you report data breaches, as the data you hold would be particularly damaging if lost. You’ll need consent from any candidate before you pass their data to any third party, including potential employers.
What customer information can you keep if somebody requests erasure?
You can keep any information that is not personal data for the person requesting, for example, the company name and address.
Can you ask people only to click if they don’t want the newsletter?
No way, specifically outlawed. Positive opt-ins only, not passive.
If our privacy statement says they consent to receive emails, is that OK for existing contacts?
No, you’ll need active consent, not passive.
What’s the difference between the Right to be Forgotten and the Right to Erasure?
The Right to Erasure expands the Right to be Forgotten.
How does this affect a purchased list of prospects?
GDPR specifically outlaws “bundled” consents, where a person has ostensibly allowed their data to be sold to third parties. A correct consent is when a person allows themselves to be contacted from a specific organisation about specific products or services. Physical postal mail doesn’t need consent, just the option to stop receiving, but marketing emails need prior consent. You cannot therefore send marketing emails to a purchased list, despite whatever the vendor may tell you – and they’ll be breaking the law if they sell you a list of EC citizens.
What is the position with data held outside of the EC?
GDPR specifies that you need to store all personal data on EC citizens within the EC, unless the country has equivalent data protection laws. It also lists those countries: Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay and New Zealand. Notably, the US and Australia are not on the list.
Some US vendors are saying they will comply with GDPR even though they will continue to store data in the US, under another agreement negotiated between the US and the EC, the US – EC Data Privacy Shield. However, our understanding is that GDPR will supersede the Privacy Shield. Anyway the Privacy Shield is heading for the same fate as the previous attempt to allow data to be held in the US, Safe Harbour, which was also ruled invalid.
Do you have to proactively provide people with a mechanism for requesting erasure?
You don’t need to provide a mechanism, just honour their requests. If you get a lot of requests you might want to consider automation.
Can you email people multiple times to get consent?
Yes, but only before 25 May 2018.
How will businesses outside of the EC be affected?
GDPR covers all businesses who hold personal data on EC citizens wherever they are. How that can be enforced on a small business in Idaho who has no assets in the EC is another question.
How about non-personal email addresses?
Email addresses such as info@ and sales@ are not personal, so no consent is required.
How about Skype and WhatsApp?
Communication via ‘Over the Top’ of the internet services like Skype and WhatsApp will be treated the same way as text messages and telephone calls. You’ll need prior consent.
Do you have a GDPR Policy Toolkit to help?