There is no escaping the fact that data protection is changing and that GDPR is coming. So much of what has been said about it is based around fear and panic. Not necessarily surprising when you consider the size of potential fines that could be enforced! The worry GDPR has caused has led to numerous concerns being raised. Despite those memes online that moan about people who find problems for every solution, without them it would take longer to move that situation to people who find the solutions to every problem.
Many people have just been told about the Data Protection Act and understand what they need to understand. What GDPR has offered is a situation where people are reading the full legislation and trying to understand legal wording they may not have experienced before. That lack of understanding and knowledge leads to worry and concern or confusion and they therefore push back against it as something evil. We. Don’t. Like. Change! Not too long ago when Facebook bought out Instagram they released revised Terms and Conditions shortly afterwards and there was uproar! People had spotted wording in the T&Cs that meant their images could be used for marketing purposes and were essentially the property of Instagram which gave them that right. Spiteful Facebook just taking our beloved images. It seemed to take ages before people began to point out that term had always been there, well before Facebook took over, and it wasn’t one of the changes!
GDPR feels like a large-scale change and something covers so many different things. We can look at some of the situations and deal with them individually to help remove some of the fear. Consent is one of the fundamental things you’ll need to look at. If you currently use pre-ticked opt-in boxes, then you will have to stop. That simple. You can’t avoid that, so moving forwards you just need to make sure that consumers can opt-in to you by taking the action themselves to do so. They tick the box based on a clearly worded opt-in that you would like them to sign up for your marketing emails – word it clearer than that!
The protections coming into force with GDPR are very much about how data is processed and stored. It is about protecting the identity of those consumers on which you hold data. Whilst it is nice to know who your customers are you don’t necessarily need to always identify them by name. The is a seeming encouragement to protect data by using pseudonyms or making the data anonymous. Therefore, if a breach occurs and the data is accessed, the consumers cannot be identified. Providing a master-list of consumers is kept as securely as it can be you can hold that but operate on a pseudonymised list and if you ever need to fully identify someone then you still can. Just make sure the two lists aren’t linked or at risk of both being accessed!
Be aware of how you can process data. GDPR Article 6.1 defines the lawful grounds for data processing:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject (Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.)