Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
With just a few days until the new system is formally introduced, agents will have been working hard to prepare for the GDPR.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who answer a key GDPR-related question each week.
If you have a question you'd like to ask our experts, please get in touch on email@example.com.
It's advised that our databases now need to be 'granular' and 'delineated', what does this mean?
Jon Baines, data protection advisor at Mishcon de Reya LLP:
For too long some businesses have amassed data in rather a haphazard fashion – their contact databases might have been a mix of current customers, former customers, leads, friends, business contacts etc.
In some cases, they might even have included details purchased as part of a marketing list, or ‘scraped’ from public sources. This hasn't ever really been justifiable from a data protection point of view, but GDPR is thankfully bringing a sharper focus.
Businesses will increasingly be expected to be accountable for the customer data they hold – by which I mean they should be able to say where it came from, when, in what circumstances, whether or not the person had given consent to receive marketing emails, how long it will be retained, etc.
Additionally, under GDPR, they will have to be able to point to the lawful basis for the processing of the data.
And such records should be made available, on request, to the Information Commissioner's Office. Data subjects will, of course, continue to have the right to know what data is held on them, and for what purposes, but, given that the fee for making such a request disappears under GDPR, the numbers of people exercising this right could well increase (and businesses will have just one month to respond, instead of the current 40 days).
So it seems that the days of databases held in perpetuity, with a mishmash of data, and no process of checking accuracy, or relevance, should be numbered.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
Annemarie Proudfoot, head of customer relations at BestAgent:
As you know by now, the more specific you can show your consents to be, the more you have “CYA” under the GDPR.
Granular consent just means consent given to a specific purpose, and delineated means organised. In order to ensure GDPR compliance (especially as it comes to consent), the more organised and properly indexed (by purpose, for example) your database, the better.
Bernard George, solicitor for Socrates Training Ltd:
Do not be misled by the technical sounding language. The point is simply that you cannot treat all clients alike, or all your information alike.
For example, you might have a marketing database with all your clients and contacts on it. Pre-GDPR, you might have been able to email them marketing information with nothing more than an opt-out button at the end. Now you ought to distinguish between clients on the one hand and other contacts on the other.
With clients, you are allowed to email them information about your own similar services (subject to allowing them to opt-out). But for non-clients you will need an opt-in.
So, your database must record who is a client and who is not, and who has opted in or out. Otherwise you will find it is unusable.
Damon Bullimore, chief information officer at BriefYourMarket.com:
To provide consumers with more transparency, one of the requirements under the GDPR is to granulise for your direct marketing purposes by content type and channel, i.e. email, SMS, post.
Whilst granulising may initially require your time and attention, there are significant benefits to your business. Granulising content is considered best practice for compliance, but it will also help you improve customer personalisation, which in turn improves your opens and reduces unsubscribes.
Your customers want a personalised and non-intrusive service from you, and the only way that you can meet that expectation is by understanding what it is they’re interested in receiving from you, and what they’re not interested in.
A GDPR-compliant database will contain detailed records of your recipients’ marketing preferences – in terms of marketing content and medium – as well as detailed records relating to the lawful basis used to process their data, in a time and date-stamped format, where appropriate.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.