A few weeks ago I wrote an article about the General Data Protection regulation (GDPR) and signposting some useful resources as well as providing my take on what businesses should consider.
Since writing that post, like most people I’m now being bombarded with emails from companies pointing me to their new Privacy Notice or asking me to re-sign up to their Email communications. I’ve also been to a Business Gateway seminar where a lawyer from MacRoberts LLP provided an overview on what businesses need to do to get ready.
What became clear is that there’s quite a lot to consider and it can become quite murky. What also became obvious is that no business is exempt from this, whether it be a sole trader, a charity, a Limited Company etc. Everyone needs to be aware of GDPR and put controls and safeguards in place.
Data Controllers and Data Processors
These are two definitions that you should be aware of under GDPR. According to the Regulations a Data Controller is:
The Data Processor is the person who processes the data on behalf of the data controller.
You run a business and as part of your Marketing you issue regular email Newsletters to Customers. To do this you use a Third Party mailing system such as Mailchimp. In this case you as the Business owner are the Data Controller, ie you have decided how you are going to use this data and Mailchimp is the Data Processor, ie they are issuing the Newsletter and storing the data on your behalf.
To take this a bit further, I occasionally help businesses to create and issue Newsletters, using Mailchimp. The businesses I work with would be classed as the data Controller, I would be classed as the Data Processor and mail chimp would be the sub Data Processor.
Email Marketing and Consent
Admittedly this is a very grey area and I don’t want to dwell on it too long. It is worth reading this section in the ICO guidelines.
You will have seen some emails coming through from businesses simply saying they have updated there privacy notice and some emails asking you to re-opt-in to mailings.
For customers, where they have bought a product in the past or are an existing client, then you are entitled to send emails as long as there is a clear opportunity for the individual to opt out or unsubscribe. The same applies to sole traders and some partnerships. For corporate entities where there is a general email, it is permissible to email them without consent, e.g. firstname.lastname@example.org. However employees of that corporate entity are classed the same as individual, e.g. email@example.com
However, if you’re mailing people who haven’t previously been a client or customer and people’s details have simply been added to a mailing list, you need to gain consent from them before emailing them. This is where an email is sent asking people to resign up to mailing lists.
GDPR is a very large and complex area. The views above are my own and distilled from what I’ve learned over the past few weeks. However, this legislation has been in the making for 4 years so there is far more to it that simply one page of my thoughts.
If you need help, you may want to get some legal help to understand your responsibilities. There are also lots of resources online, simply search for "GDPR". In the meantime, I hope this was of some use.