Admittedly, the General Data Protection Regulation (GDPR) may not be the most exciting piece of legislation… however, with just over six weeks until it comes into force, the time for ensuring you are fully compliant is NOW!
Am I Affected?
If you process data about individuals from any EU member state, you must comply with the GDPR. The GDPR applies to businesses of any size (including SMEs) and applies whether you contract with other businesses, directly with clients or both.
The definition of “processing” is extremely wide: it is very difficult to see any activity which would not be considered processing. For example, processing includes collecting, storing, disclosing, altering, combining and destroying data.
Grounds to Process Personal Data
The GDPR requires you to have “legitimate grounds” for collecting and using personal data.
The main grounds for processing are:
Note that you must still include the “legitimate interests” you intend to rely upon in your Privacy Notice. The Privacy Notice must be readily available and should clearly state:
Marketing Material and Consents
It is likely that you will need an individual’s explicit, positive consent before you can send any marketing or product information to their email address, phone or by personal address.
The GDPR is retrospective, so you may need to get consent again, in a manner which is fully compliant with the GDPR.
Where your business receives referrals of potential clients, you will need to get explicit consent before sending out marketing material. Essentially, you should email the potential client and explain who referred them to you and ask them whether they wish to receive some information about your business offerings.
The GDPR requires you to be able to demonstrate compliance. This means that you must keep a record of all consents received or the ground(s) on which you process personal data. You must also keep a record of how long you will retain personal data. If you have over 250 employees or process sensitive data, you must also record all your processing activities.
If you outsource any functions or work to a third party, you must include the details of these third parties and the personal data you may share with them in your Privacy Notice.
As you are ultimately liable for safeguarding any personal data you share with third parties, it is crucial you ensure third parties also comply with the GDPR and you protect yourself with appropriate contractual provisions to minimise your exposure.
You will not need consent for any personal data required by law from directors and shareholders (for example directors’ names and DOBs which must be submitted to Companies House). However, you may wish to include a sentence in your Privacy Notice to explain this.
Where you also obtain personal data not required by law (for example shareholders’ email addresses), you may also wish to explain your legitimate interest in retaining this additional personal data in your Privacy Notice.
As with all personal data, the key thing is ensuring you have proper protections and processes in place to protect individuals’ personal data.