On 25 May 2018 the General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA). The aim is to give individuals more control over how their personal data is used and get businesses to be more transparent over how it will be used. The UK Government have confirmed that Brexit has no impact. Businesses will have to think differently over how they use personal data and be prepared to justify the use if asked by an individual. There are a lot of myths and scare stories of what is going to happen. This was not helped by the Sun saying “Builders, cleaners and gardeners could face huge fines just for sending an EMAIL to drum up business thanks to draconian EU laws on data protection”. The Information Commissioner did a blog to say it ‘is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that”.
We still don’t know everything, but that should not stop a business starting to prepare for May 2018. This blog looks at the impact on sending emails and on getting business cards at networking meetings. Guidance on how to interpret the GDPR for day-to-day use has been coming from the Information Commissioners Office (ICO), the Article 29 Data Protection Working Party (who advises on Data Protection) and the equivalent of the ICO in different EU countries. The GDPR is not the only relevant legislation. There is also the Privacy and Electronic Communications Regulations (PECR) which sits alongside the DPA. This is going to be replaced by the ePrivacy Regulation that aligns it with the GDPR. But there is a problem. It was due to be ready for May 2018 but this looks increasingly unlikely due to the number of issues raised on the draft. As the GDPR sets more stringent requirements for dealing with personal data, let’s go with those.
The first step is to see what is meant by ‘personal data’. This is defined in Article 4 of the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. A much wider definition than under the DPA, but one that reflects our online world.
Emails such as firstname.lastname@example.org or email@example.com are not personal data as you cannot identify an individual (aka data subject). firstname.lastname@example.org definitely is personal data. But what about email@example.com or firstname.lastname@example.org? They should be considered as personal data as they could be indirectly linked to a person if combined with other data.
In the brave new GDPR world you need to know the lawful basis for sending an email (which is a type of processing). The Information Commissioner did a blog on 16 August 2017 about this. The likely ones for a business are legitimate interest, consent, contractual or legal obligation. A legitimate interest for a company is making sales, but this needs to be balanced against the interests and fundamental rights of the data subject. To determine this balance you need to consider factors such as:
- the impact on the individual and their reasonable expectations about the processing of his or her personal data
- additional safeguards that can be implemented to limit any undue impact; e.g. data minimisation and a right to opt-out
Guidance on legitimate interest is available from the ICO (they plan to issue updated guidance in 2018) and the Article 29 Data Protection Working Party. The Data Protection Network has also issued guidance (you need to register to download it).
If you decide that consent is the lawful basis you need to make sure you have a record of when consent was given and that the person had the details required by the GDPR. This includes:
- Details about the data controller
- Contact details about the controller’s Data Protection Officer (if one exists). This could be a generic email address such as email@example.com as the person in the role could change over time
- What processing is done and the legal basis for doing it (consent, legitimate interest, contractual requirement etc.)
- Who data will be passed on to, if that is applicable. It is no longer valid to say something like ‘our carefully selected partners’, it must be more specific
- How long data is retained
- How to exercise the right to have data erased, to withdraw consent, to lodge a complaint with a supervisory authority etc. This will probably be a generic email address such as firstname.lastname@example.org
As you are unlikely to have that for existing contact details you need to go back and ask for it, giving the required information so when consent is given it will be valid. But you should only do this once. And make sure you don’t ask someone that has already said they don’t want marketing emails, Flybe were fined for doing this.
You are at a networking event and come away with business cards of people you want to talk to later. As I am sure you would have said this to them at the time, and they verbally agreed to it, there is a legitimate interest to send an email follow up to arrange a call or meeting. As part of that email, you could include a link to a page where they could sign up to your email updates. There is also a view that a follow up email is allowed as handing someone a card is an affirmative action and there is a reasonable expectation of a follow up. Covered under ‘consent through a course of conduct remains valid’. What should be avoided is using MailChimp etc. to send out the follow up email or adding them to your mailing list straight away.