Monthly Archives: February 2018

20 02, 2018

GDPR is changing e-privacy and electronic marketing – stay on the right side of the law

By |2019-01-30T21:20:47+00:00February 20th, 2018|Blog|0 Comments

Email marketing regulations state that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their consent. This guiding principle is not expected to change. However, the scope of privacy regulations is likely to extend to include Business 2 Business (B2C) as well as Business 2 Consumer (B2C) because of changes to the definition of personal data.

This is because Privacy and Electronic Communications Regulations (PECR) that govern electronic marketing are in the process of being updated in line with the new General Data Protection Regulation (GDPR.)

Before GDPR the rules about emails for individuals didn’t apply to emails sent to organisations. In May next year GDPR’s wider definition of personal data will include data relating to a person at their business. This means there will be no distinction between B2B personal data and B2C data. When sending marketing emails to businesses you will now need to use the consent principle or ‘soft opt in’ principle in the same way that you do with individuals. Giving businesses an ‘opt out’ option will no longer be sufficient.

Everyone sending marketing communications needs to understand the rules around consent which are stricter in line with GDPR. You will need to provide comprehensive information (specific, informed) about what the person is consenting to, as well as ensuring they wouldn’t be disadvantaged if they didn’t consent (freely given). There must also be no doubt as to what they are consenting to (unambiguous) and no doubt as to whether they have actually given consent (clear affirmative action.)

Exceptions to the consent rule still fall under the ‘soft opt in’ which means sending an opt in email. It is allowed if the following three conditions are met: 1) when the buyer gives you contact details while making a purchase or negotiating a sale, 2) you are marketing a similar product or service and 3) there is a simple unsubscribe option at the bottom of each email so that a potential buyer can refuse marketing at any point.

consent

GDPR regards opt in emails or other soft opt in measures as a legitimate interest which is the legal basis for sending direct marketing electronically. It covers email, SMS, social media and instant messaging apps. But you need to be clear from the start when collecting personal data which electronic channel you will be using and make sure your marketing communications are relevant.

Legitimate interest may arise where consent is not viable or not preferred, although the organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing. With electronic communications an unsubscribe link is simple to implement in cases of soft opt in by known customers.

When you send an electronic marketing message, you must identify yourself and provide a valid contact address. You must also have a complaints process in place.

If you are uncertain about how to make sure you have got valid consent, use an opt-in box on the email rather than an opt-out one.

You must then keep a list of people who have opted-out and screen lists to make sure you do not email them in future.

At the moment the Information Commissioner’s Office will consider issuing a fine of up to £500,000, where an organisation persistently ignores individuals’ objections to marketing.

However breaches of the new e-Privacy Regulation may attract fines of up to 4% of annual worldwide turnover, just like GDPR. It is not clear when the new regulation will take effect: a target date was set of May 2018 in line with GDPR but this is likely to slip into early 2019, giving you a little more time to prepare.

opt in email

6 02, 2018

Record CCTV footage carefully and store it safely to comply with GDPR

By |2019-01-30T21:20:47+00:00February 6th, 2018|Blog, Content|2 Comments

Personal data according to the general data protection regulation (GDPR) refers to anything that can identify an individual including CCTV cameras. Footage can be used as surveillance to deter or identify intruders and if so, must be available to the Police as required. It must be stored securely and encrypted wherever possible.

GDPR is a new European regulation governing data protection but the UK is introducing a very similar piece of legislation which will apply after Brexit. Personal data includes CCTV footage, email marketing, social media posts, names including newsletter recipients, European cloud storage, IP addresses for websites as well as data already in scope under existing data protection law. GDPR is overseen by the Information Commissioner’s Office (ICO.)

It allows individuals to request a copy of any CCTV footage where they are clearly identifiable. If the request is valid, the organisation must show the footage to the individual within 30 days. GDPR will take effect in just over three months’ time on 25 May this year, 2018, and businesses need to be ready. It is very important that organisations get the use of data right because they can face fines of up to 20 million Euros or 4% of global turnover if they get it wrong. GDPR is overseen by the Information Commissioner’s Office (ICO) who set the fines.

Individuals must give active consent that is, ‘freely given, specific, informed and unambiguous’ so implied consent will no longer be sufficient. Organisations must make CCTV cameras very obvious and may need to obtain further explicit consent from individuals to record them.

CCTV footage

Security operator looking at CCTV footage

To remain on the right side of the law, organisations must make sure that they can switch CCTV on and off and access a specific recording upon request. Footage and sound recordings should be captured separately to avoid being excessive and must be stored securely. Take care with sound recordings because it is intrusive to record conversations of staff or the public unless there is a strong and explicit justification which is unusual.

Access to footage and sound should be restricted and safeguards need to be in place to prevent interception and unauthorised access.  Footage should be deleted when it’s no longer necessary.

All CCTV footage needs to be underpinned by a written information retention policy that is understood by all operatives. Staff need to know how to respond to requests from individuals for access to footage and recordings. Individuals also need to know if they are in an area covered by CCTV and that they have a right to access recordings and footage.

CCTV camera

CCTV security cameras must be clearly visible

1 02, 2018

How to remain GDPR compliant – protect your data

By |2019-01-30T21:20:48+00:00February 1st, 2018|Blog, Content|0 Comments

Currently data in the UK is regulated by the Data Protection Act 1998 that followed the 1995 EU data protection directive. However, this is now being superseded by the EU General Data Protection Regulation which brings the law up to speed with new ways that data is being used. There will be tougher fines for breaches of data protection and the regulation gives individuals more say over what companies do with their data. GDPR standardises practice throughout the EU.

Even after Brexit if UK companies want to trade with companies in the EU, they will have to comply with GDPR and the UK is introducing a very similar piece of legislation. Personal data includes email marketing, social media posts, names including newsletter recipients, European cloud storage, IP addresses for websites as well as spreadsheets, photos, CCTV footage and documents.

data protection

Personal data is data that identifies a person, data under the Data Protection Act will fall under the scope of GDPR. People can ask for data at reasonable intervals and controllers have a month to respond. Controllers and processors should explain why the data is being processed, how long it will be kept and who will see it. An individual can ask for the data to be corrected or completed if they think it is incomplete or contains errors.

You need to get active consent from everyone you hold data about and you need to be prepared to delete files as required. Failure to opt-out no longer defaults to consent. Consent must be explicit and intentional. Consent gained before GDPR became law must meet the new high standard to be current. If you are in doubt, get updated active consent from all your subjects to ensure GDPR compliance.

Individuals can request that their data is deleted after it has been used which is called the ‘right to be forgotten.’ The same rule applies if they withdraw consent or dislike the way it is being processed. The controller is responsible for telling Google, for example, to delete links to copies of the data and copies of the data itself.

Businesses such as Google and Facebook share user data. GDPR has been introduced to regulate this to build trust and standardise data protection across the EU. This should reduce legal fees considerably.

GDPR will take effect across the EU from 25 May 2018 in its current form without the need for Member States to introduce their own national legislation. It applies to controllers of data who have strategic oversight of the data (such as a government) and processors (often IT companies) who process it. Controllers can be liable for a breach by one of their processors.

The clock is ticking before GDPR takes effect.

Controllers need to check that personal data is processed lawfully, transparently and for a specific purpose. When it is no longer needed, it should be deleted. Controllers need to record active consent to keep the data which can be withdrawn at any time.

Data breaches

Data breaches in the UK need to be reported within 72 hours to the Information Commissioner’s office. You should explain what data has been exposed, what impact this will have for the people involved and what steps you’ve taken in response to the breach. You must also tell the people affected or face a hefty fine. Fines are becoming much bigger and are often 2% of annual turnover rising to 4% if a controller or processor does not follow procedures. Fines still need to be proportionate and evidence of compliance with GDPR will show good faith and should reduce the fine.

Go to Top