Comment: Using a sledge hammer to crack the data nut?

editorial image
0
Have your say

General Data Protection Regulation. GDPR. Doom and gloom. Is it “The end of the world as we know it”, “I predict a riot” or in fact “Let’s stay together”?

Having just attended the Chartered Institute of Public Relations Scotland’s very insightful GDPR seminar, I’m feeling a lot more positive about this thorny issue which is likely to be currently preying on the minds of almost everyone in business. In view of the 25 May deadline looming large later this week and the barrage of misinformation and confusion around GDPR, I thought I would share the key points that I took from this event.

The panel very helpfully featured a lawyer who focused on common sense application of the legal changes. As I am not a lawyer myself, my own observations of this event are not legal advice, but will hopefully be useful nonetheless to those of us currently ploughing through the minefield of GDPR.

Everyone reading this is likely to have been on the receiving end of a deluge of opt-in emails over the past few weeks, requesting permission to keep in contact. The panel helpfully highlighted that email consent is nothing new and indeed rules on this are different for consumers and businesses.

A key point for me was that if you have someone’s business contact details because you provide them with goods or services, unlike private individuals, this does not require opt in consent. However, it is still good practice to share your privacy policy and offer your business contacts the option of opting out too. If you have already asked people to opt in in the past, sorry to be the bearer of bad news, but you will still need to be able to demonstrate you have this consent going forward.

If you are in touch with individuals as consumers, the panel made it clear that different rules apply and the individuals’ consent is in fact required for your organisation to keep in touch with them. It is also important for the organisation to be clear on what sort of consent the individual has given, so replying to a competition with an email address doesn’t give blanket permission to bombard that individual.

As a communications professional I was listening intently for answers to the tricky question of dealing with journalist and media contacts. This issue divided the panel, but it is fair to say that using a paid-for media database doesn’t mean you can avoid being considered a data controller; you and your organisation are probably still likely to be downloading data and using it for your business purposes. The same applies to customer relationship management platforms, so the onus for data control still lies with yours truly. The key here is to be able to demonstrate legitimate business use, rather than unsolicited marketing. Again, it would also be helpful to share your privacy policy and make it clear that your contacts can opt out.

The panel were very clear that politicians are considered as private individuals, so if you are communicating with them, it would be considered good practice to ensure you and your organisation have their consent to keep in touch.

Photography consent, particularly at large scale events, was raised by several delegates. The panel’s advice was to make it clear to event attendees – possibly through signage at the event – that photographs would be taken and images may be used at a later date. A belts-and-braces approach could be to include this information in any pre-event communications with delegates, which could allow people to opt out in advance.

As a business owner, I must admit that GDPR does seem a bit like using a sledge hammer to crack a nut. However, the panel emphasised that being able to demonstrate clear records, evidence of a willingness to comply, and having up-to-date systems will stand you in good stead. So maybe not so complicated after all, though time will tell.

- Julie McLauchlan, managing director at Perceptive Communicators