GDPR: Top Five Questions Answered

By Yusef Sanei

With #DeleteFacebook erupting throughout the Twittersphere due to the Cambridge Analytica scandal, data and data transparency has been dragged into the spotlight. Data is personal, political and profitable which makes the impending GDPR implementation more relevant than ever.

Over the past year or so, much of the GDPR coverage has been scaremongering sensationalism, focusing almost entirely around the hefty fines that businesses could potentially be made to pay. The Cambridge Analytica scandal that is still unfolding before us highlights that data, and indeed GDPR is not the product of an overly bureaucratised European Union who are consumed by tangling us in a web of regulations. Rather those regulations are in place to ensure the protection of the individual and the business.

That being said, GDPR is complex and still raises many questions. In light of this we have compiled a list of the most common questions we get asked on a daily basis, in an attempt to bring some clarity to the situation.

Are B2B emails addresses considered personal data?

The short answer to this is both Yes and No. Any B2C data, or email addresses of sole traders, under the ICO’s Direct Marketing Checklist, are considered personal data. Upstream only holds personal business emails (B2B email addresses), which can still be marketed to under the new GDPR changes, however, must be contacted with “legitimate interest” and given a clear opt-out.

Article 6(1)(f) gives you a lawful basis for processing where:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Will GDPR stop me from telemarketing?

Again, the answer is as above. Keep your calling focused and most of all relevant. You can use the legitimate interest reasoning to have a lawful basis to call someone, but it is being advised that you give contacts an opt-out option when calling. Something as simple as, “Would you mind if I contact you again in the future?”, will help with this, just be sure to record all previous conversations and make it clear where people no longer want to be contacted again.

With Brexit, we don’t need to worry about GDPR as we live in the UK and contact UK companies?

The UK Government themselves have confirmed that GDPR will still apply to the UK even after Brexit. After Brexit, there may be one or two changes to the current GDPR legislation, however, the guidelines set out by GDPR and the new ePrivacy Regulation will be used as a tight guideline for the UK, so do not expect anything to change anytime soon!

Even if we don’t comply, does it really matter? These are surely only guidelines, not actual laws.

Just to be clear, GDPR is being set out as a legal requirement for anyone processing data within Europe. Failure to meet with these can be met with hefty fines of up to 4% of the companies worldwide turnover or €20 million (whichever is greater). In the UK, the ICO (Information Commissioner’s Office) will be in charge of issuing any fines within the UK.

Does GDPR mean I need to delete all of the current contacts in my database/CRM?

Wetherspoons may have deleted their entire database, but you don’t have to! What will be paramount, is to ensure your database is as accurate and up to date as possible. This means going through all of your records and ensuring that they are not only correct but making sure it is everyone’s responsibility in your organisation to keep these up to date going forward. The only time you will need to delete a contact is when they request to do so, under Article 17 of GDPR which gives everyone the right to be forgotten.

Do all of our contacts have to opt-in?

Whilst it is best practice to have your contacts already opted in, Article 6 means that any direct marketing does not have to be consent based. However, if you are using GDPR’s own terminology of ‘legitimate interest’ to market directly to contacts, be sure to make sure that your messaging is relevant to the recipient, has a clear opt-out from further communications and that you then record specifically the outcome of the communication e.g. the time/date of their opt out if they requested.

We hope this sheds light on some of your concerns and highlights that GDPR is not the doomsday some would suggest but rather a reminder to all business to implement best practice. If there is one thing we should take away from this week’s events concerning Cambridge Analytica, it’s that data regulations should be taken seriously and businesses, irrelevant of size, should ensure they follow these necessary regulations for the protection of themselves and the individual.

Still have questions about GDPR? Feel free to call or email now and we can show you how Stay Upstream can get you ready and raring to go ahead of 25th May.
Email or call Chris Finnegan – / 0203 861 4459

Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s