Thursday 22 March 2018, Glasgow

Isla Gibson of The Dragonfly Agency provided a very useful, practical update on GDPR.  Some of their key points included: 

  • The new ePrivacy Regulations will not now come into force at the same time as GDPR, but are likely to be in place by the end of 2018. 
  • By now, you should have: 

-   Identified a GDPR project group, which should be meeting regularly.

-   Mapped data flows, identifying what data you hold, what data is gathered and what to do if you have a breach.

-   Sought and obtained consent from customers and suppliers, making it clear what they are signing up for (separate consent to telephone, post and SMS) and detailing what they are getting in return. Sainsbury’s was cited as an example of good practice in this respect. 

  • If you have not achieved this yet, you should read the ICO’s “Preparing for the General Data Protection Regulation: 12 steps to take now” and work through the steps. 
  • You should have transparent procedures for collecting and storing data, including using and managing suppression lists (with a system for not re-adding contacts that have previously been removed). Honda was recently fined for a failure regarding suppression lists. 
  • If using legitimate interest instead of consent, you: 

-   Must state what the legitimate interest is. Legitimate interest can be interpreted differently. For former and current customers and suppliers, you have a legitimate interest to continue marketing to them.

-   Document the data flows, including your workings and rationale for what you have decided (e.g. you have had previous dealing with existing customers and it is sensible that you would continue to communicate with them). 

  • For marketing to prospects, you can rely on soft opt-in. 
  • You should have processes in place to make all staff aware of GDPR. E-learning modules were suggested as an efficient and effective way to ensure all members of staff are aware and trained appropriately. 
  • In terms of Subject Access Requests, you have 30 days to respond to someone asking for a copy of the personal data you hold on them (previously it was 40 days). No fee can be charged. 
  • When transferring data from processor to processor: 

-   Processors should get permission from the controller to transfer data to another processor.

-   No open files should be sent; passwords should always be used. Passwords should be sent by SMS instead of by email. 

  • Direct mail can be a useful tool for gaining consent. Born Free was cited as an example of good practice in this respect. The Direct Marketing Association is a useful source of information and advice. 
  • Clear, simple language, free of jargon, should be used when communicating with staff, customers, and suppliers about GDPR. Manchester United and Channel 4 were cited as good examples, both of which provide good reminders about why people should sign up to receive their communications. 
  • The challenges of partners and staff having their own individual databases was highlighted, as was the need for everyone in the firm to adhere to the new rules. 
  • The ICO will be ready to enforce GDPR by 25 May. It is hoped they will take a practical approach and will focus on high risk, high potential damage cases. 

Written by David Wallace, Wallace Marketing Ltd
Regional Director PM Forum Scotland