10 key GDPR questions – answered


1. How do we classify photos – do they now count as personal information?

Whether a photograph counts as personal information depends on how it’s processed and used. According to the ICO, police photographing crowds to identify trouble-makers is personal information; a photo journalist photographing the same crowds to record the event is not personal information. You now need permission to use images of people and you must give them the option to be excluded or blurred out.  

A good example of this is in the charity space, where lots of photos of people are used for marketing promotions - and these all count as personal information. So each time you replicate a person’s image on any type of marketing collateral – remember that you’re still using private data – but just in different ways. 

2. How do we provide information at the point of gaining consent? 

This will depend on how you are collecting the data. If it’s through a sign-up form on your website, there should be explanatory text on that page and in your privacy / data usage policy. If you collect information on paper, there must be fully explanatory text on the sign-up sheet and a tick box to collect explicit consent. 

The tick box should be clear and obvious, without confusing double negatives or trick wording. You should also record, at that time, how a person agrees to the data being used -alongside a confirmation of acknowledgement.  This ensures that if the information changes you can demonstrate a clear audit trail. 

3. How should we deal with a request to be forgotten - from a data subject? 

You must keep track of requests to be forgotten so that you can re-delete them if you have restored from a backup. Any paper records of the person should also be destroyed. However, you will not have to delete a data subject’s personal information if this information is required for ongoing legal action. 

Not everyone can be forgotten – especially in sectors such as healthcare, where   threatening illnesses need to be understood - even if a patient doesn’t want people to know their identity.  In these situations, you will need a process to determine the merits of each case, then record how and why you’ve come to the conclusion - and then respond to the person accordingly. 

4. What happens if we use a CRM system that has inadequate protection of personal data?   

A data controller has a specific duty to carry out due diligence on processors before appointing them. If the system is inadequate then you will be liable. Where the data processor is at fault for a data breach, it will be treated as a data controller and will be liable. 

Ultimately, the CRM is just one of many systems which hold data and you’ll need to control access to all data sources. Therefore, it’s important that correct process are followed which include; identifying what personal or sensitive information you record, how you control access, how you manage marketing preferences - and how these are then communicated to people. 

5. Do I have to ask all contacts in my database for their opt-in to receive future communications?   

If you intend to use the data for marketing or sales purposes, you must have consent to contact those people. If you can demonstrate that you have consent, under the existing Data Protection regulations, you can send an email and ask them to specifically opt-in for further communications. If they don’t specifically opt-in, you’ll have to take that as an opt-out.  If you cannot demonstrate that you have consent under the existing legislation, or send an email asking them to confirm - you’ll be committing a breach and may risk being fined. 

When someone signs up to something, there are normally two levels of permissions to contact. The first is their “opt-in” stage one permission. It’s good practice to re-confirm to them what you intend to do to reach opt-in stage two or double opt-in. This ensures that future correspondence is welcomed and relevant to the person – which increases the likelihood of a positive reaction.   

6. Can I add business card information to my database and start communicating with them?   

If you wish to communicate with a person, you need to request and record their opt-in. When you meet people at events, ask them if they would be happy to receive communications from you, and if they say yes, inform them that they will receive an email to confirm. To confirm their consent, they must then click on a link in the email, or respond to you. Other affirmative opt-in methods can include; signing a consent statement or making an oral confirmation, However, any future correspondence will be limited if they don’t respond or choose to opt out. 

7. If someone enters their business card for a prize draw, can we send them information about our services?   

No. The information about the prize draw must state; “by placing your business card in the bowl, you are only entering to win the prize draw. This does not constitute your opt-in to receive communications from us going forwards”. It’s also worth asking them at this time, if they are happy to receive communications from you going forwards. You can then inform them that they will receive an email to confirm that too. 

8. When I buy a prospect list from a broker, can I then contact them?   

Anyone handling a list will need to make the people on the list aware of specifically how their data is going to be used. For example; before GDPR, if you were registering for an event at the end of the form it may state “XYZ company sometimes allow their partners access to XYZ’s data, tick here if you are happy to receive communications from those partners.” The information now needs to be very specific and detail exactly who those partners are and how they are likely to use the contact details – so consumers can make an informed choice about whether to tick the box or not. 

9. Do I have to get consent in writing?   

You must be able to prove that you have consent – as this will count as proof. An audit trail of someone opting in on a website will also count as proof too. Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods may include signing a consent statement or an oral confirmation.

10. What’s the implication for securing and holding the data access key to allow decrypting?   

The overarching requirement of GDPR is that the data is secure. If you are sharing personal data with another company, perhaps for research, then it must be anonymised before sharing and the receiving company must not be able to decrypt that data. As part of data security, if you have pseudonymised your data (replacing them with artificial identifiers), the access keys must be kept secure. 

There should be a process in place that identifies what data has been shared and with which third parties, for what reason and for what length of time.  Also, at the end of the process, it’s prudent to confirm how data is deleted. 

Key steps to take now     

For organisations that are starting their journey towards GDPR readiness, here are some important steps that will help ensure successful outcomes. 

  • Raise awareness within your organisation and ensure people understand the changes and their responsibilities. Check if you need to appoint a Data Protection Officer and determine who that will be and what training they might require 
  • Carry out an audit of your data and establish what personal information you hold, where and how it’s stored and collected. Also, check what processes are in place for obtaining this data and what security is in place to protect it   
  • Assess your processes and procedures and establish how you can make your customers and prospects fully aware of how and why information is taken, processed, and stored. Also, identify how are you are gaining permission to use it   
  • Ensure there are simple processes for individuals to remove consent and, if desired - to be forgotten.  Set up a process to answer any data requests   
  • Talk to your technology providers and ensure relevant systems, such as CRM, are fit for purpose. Ask suppliers what they are doing to ensure compliance and what support is being offered 
  • If possible, centralise your data storage to reduce risk   
  • Ensure storage is secure with firewalls, virus monitoring, strong passwords, access control, encryption etc 
  • Review your privacy policies and statements - these will probably need updating in order to comply   
  • Finally, it’s essential to train all staff so they become familiar with the key terms around GDPR and understand their responsibilities around data access. Staff also need to understand how to best manage 3rd party data suppliers – and establish if their location is considered a safe region for data storage 

Eddie, Founder and Managing Director of SeeLogic 

Image Credit: Wright Studio / Shutterstock