The new General Data Protection Regulations become law from the 25th of May 2018.The new General Data Protection Regulations become law from the 25th of May 2018.They have been devised to attempt to keep up to date with the digital revolution, and apply to UK companies and charities that process the personal data of EU residents.To understand the GDPR in detail, explore the ICO’s data protection reform hub on its website.
Our previous blog described how CRM solutions can help with GDPR, and how they can cause issues. This blog deals with the rules in a little more detail and a suggestion on what your CRM system actions might be. Please bear in mind Junari are interested parties and not legal representatives, so you should consult legal advice services if in doubt!
The key changes in a nutshell are: –
1) ‘Personal data’ has been widened to additional elements that could be used to identify an individual, to include cultural, social, financial, mental and genetic factors.
ACTION: Take time to understand what you store and ensure that you only store what is reasonably needed. If you provide services to only one sexual orientation, measure service provision based on this factor, or need to tailor the service based on sexual orientation, then it is reasonable to store this information. But if not, why do you need to know (and more importantly mark it in a record kept)? Also, it is necessary to understand WHY you are storing it and what the purpose of the data is. If it is not for a defensible reason, get rid!
2) If you process the personal data on children, you will need parental consent in they are under 16. Keep your eye open though as EU member states may change this to 13.
ACTION: Make sure you only store data on children when it is really required and then collect parental consent and store that as evidence before you process data
3) Valid Consent must be sought “Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
ACTION: There are two sides to this in our opinion. Firstly, people that you have never met, dealt with or spoken with should be contacted with the request to opt into your marketing messages before receiving them. Secondly, if a person is dealing with you already as a customer or supplier, that could be viewed as valid consent, unless they expressly opt out from marketing messages at the same time.
4) “Right to be forgotten” The new regulations require that if people wish their data to be removed, then this must happen.
ACTION: You should have a process to remove or anonymise the persons data in any system. The exception to this in our thinking is where you have legal records associated with the person, such as invoices.
5) Data should not be shared unless necessary, and never outside of the EU without seeking legal advice.
ACTION (1): We would also suggest reviewing your back-up strategy for personal data. If you use Amazon for example as a back-up mechanism, then this could be construed as sharing data outside of the EU, being US based. If this is the case, then check the T’s and C’s to ensure they are observant of EU law. ACTION (2): Devise yourself a plan for avoiding, dealing with, and reporting a data breach. Either the Data Protection Authority or the individual affected should be informed as to the type and size of the breach, any remedial action, the potential impact on them, all within 72 hours of the discovery of the breach.
Don’t forget, if you are in anyway confused about how your business should approach the issue of being GDPR compliant then seek legal advice. Alternatively you could consider attending some of the many GDPR related business events that organisations such as Chamber of Commerce and Forum of Private Business will have available to members.
For those of you who are based in Essex, you might like to know that the guys at Business Connected have got just such an event organised on 29th November 2017, from 09:30-11:30 GMT at the Best Western Marks Tey Hotel. You can visit their eventbrite registration page here to find out more and register.
And of course, the team here at Junari are very happy to talk to you about how our particualr CRM system, JunariCRM+ will handle data and help your business. Contact us on 01206 625225 or email us at firstname.lastname@example.org, or use that lovely red “Get in Touch” button below.