GDPR FAQs

When do I have to comply by?

GDPR will be coming into force on May 25th 2018

What is Personal Data?

Personal data is anything that can be used to identify someone. This could but is not exclusive to; a name, email address, phone number, photo, social media posts and even an IP address

I’m a sole trader / small business, does this apply to me?

Yes.

As this is an EU directive will I still need to comply after Brexit?

Yes. The British Government have stated this will be adopted after Brexit and apply to UK residents as well as EU residents. Even if this wasn’t the case, if you are engaging with EU citizens and collecting their data you would still have to comply even if your company is not within the EU.

Does this mean I can’t send any email to a customer without consent?

No. Transactional emails, such as those stating an order has been received, or emails that are fundamental to operations may still be sent, however, all marketing emails must have specifically been opted in to. This could include emails inviting customers to visit a social media account, so care should be taken regarding the language used and whether the intent is to market the organisation.

Does this just apply to online records?

No. All records held, whether online, in the cloud or locally in a document are considered to be covered. If you collect business cards and store these they are also included and you should ensure customers, colleagues and clients are aware that you hold this information and what it’s intended use is. Being given a business card is not confirmation or opting in to marketing either. This must be a recorded opt in process as it could be claimed you simply found the business card and weren’t handed the business card.

Does this just apply to customers?

No. Employee data must also be held in a compliant manner. For example a company that holds an employees personal data would be considered the data controller. If that company outsources the payroll service to another company then the payroll company would be the data processor

How do I make my email system compliant?

A great question and a very grey area! Receiving an email, by its very nature, will include personal data from the sender. As a minimum you will have, and be storing, their email address but without explicit consent to do so. At this stage my advise would be that it's reasonable to assume that the mere fact someone has sent you an email is also acknowledging that you will maintain that personal data within your email system. The key is to ensure you manage that data properly so it is not passed on or sold or added to a mailing list without explicit instruction to do so. You must also ensure that your email system is secure and that you publicly acknowledge where email data will be stored and backed up to.