GDPR – How to Sleep Easy!
If GDPR is meant to stop the abuse of data by large companies who have access to vast amounts of personal records, which they then pass without permission to third parties, who go on to make the lives of vulnerable people an unliveable hell of unsolicited marketing – then its laudable.
If it’s meant to catch out unwary SMEs carrying out low level e marketing to a database of potential customers, most of whom are too lazy to unsubscribe and then fine them out of existence then it’s ridiculous.
In truth, it is of course the first objective that drove the legislation. Never the less, the current furore surrounding this issue seems to have led many small businesses to panic and take compliance to an unnecessary level.
The regulations are not clear but the spirit is
Namely that you should not use or share data in the form of personal contact details in any way, unless you have permission to do so. The uses for which you collect data must be made clear and the storage must be secure. If someone wishes you to wipe them from your records then you must do so, for good.
The new rules appear to make no distinction between personal and business contact information, nor between businesses communicating with other businesses and business contacting private individuals. This is an idiotic situation. The sending and screening of marketing communications is surely a necessary part of business life.
Concept of legitimate interest
Fortunately, there is the concept of legitimate interest and we are grateful to Intermedia Global for their exemplary explanation.
“Legitimate interest is the most flexible lawful basis for data processing. However, it can also be the most complicated.
According to the ICO, there are three elements to be considered when taking the legitimate interests route:
- identify a legitimate interest;
- show that the processing is necessary to achieve it;
- balance it against the individual’s interests, rights and freedoms.
In cases in which an individual’s right will be breached, their rights will override your legitimate interest. However, please keep in mind that, according to the ICO the legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. Recital 47 recognises that direct marketing may be regarded as carried out for a legitimate interest.
Therefore, as long as the data has been sourced in a lawful manner it is safe to say any organisation can process data that’s has been outsourced, as long as their legitimate interest is proven, and it does not limit any rights of the individuals”.
The best cause of action
So, as we have said all along the best course of action for SMEs is to tidy up their cookie warnings, privacy policies and contact forms – and seek to be compliant with the spirit of the new regulations moving forward. Be sparing with the frequency of e shots, keep them relevant to the target audience, on no account share data, make unsubscribing easy and beef up the physical and virtual security of data storage – then you can sleep easy!