19 Feb 2018
Having been to a couple of GDPR presentations recently it is all beginning to fall into place. So what do we know? It’s all about data privacy and permissions and quite a rigorous and comprehensive process we all need to follow. But it seems that it might be simplified this way. There are two separate things to consider GDPR and PECR (Privacy and Electronic Communications Regulations) working alongside each other. Under the former we must keep all data safe and secure and the latter covers promoting and marketing to people by email. Under article 6 of GDPR, personal data falls under one of six categories, the most prominent being ‘consent’ and ‘legitimate interest’. If you have had a dialogue before via email and are not marketing to them, then this may fall under the ‘legitimate interest’ category; if you don’t know people and you are marketing to them, you need their consent to do so.
An important part of GDPR is that everything must be recorded and there should be an audit trail in place to show when consent was given, this can be used for instance to respond to individuals who wish to be removed from your database. Any data breaches have to be reported in 72 hours. And a data protection policy should be in place too.
Above all we’re told we shouldn’t panic but simply audit our data in all places held systematically to make sure we are all GDPR compliant by 25 May. Check the ISO (Information Commissioners Office) website www.ico.org.uk for the latest updates – you can also follow them on Twitter.
(Please note this is a view from Vantage and does not constitute legal advice)
