It is clear form the conversations I am having with my own network (mostly within the voluntary sector) that the GDPR is causing a lot of the stress. Each individual I talk to seems to have a slightly different idea of what the requirements are and what they have to do to meet them.
With that in mind, here is my particular interpretation. I am not a lawyer and I’m not putting myself forward as the GDPR expert, however, I think a short summary of the main points is required – so I am trying to do that in this article.
The good thing is that if I’m getting it wrong it gives an opportunity for the real experts to put me right – hopefully as a comment that others can then read. So here is my interpretation of GDPR in six bullet points.
1. You can only data for the purposes agreed to
The GDPR legislation requires that consent must be specific. This means you can’t add people to your general mailing list if they signed up for something else; i.e. if they signed up to get a free download or to register for a webinar your can’t start sending them your newsletter.
‘Consent’ is the key word here. If you can’t demonstrate that consent was given you must you must stop emailing them (from May 25, 2018). You must also keep a trail showing how they joined and how consent was given.
If you cannot prove ‘consent was given’ not only must you stop emailing them you must remove them from your mailing lists. Consent must have been actively given, i.e. they clicked a checkbox or choose something from a pulldown list or clicked a link during a double opt-in process. You are not allowed to have pre-clicked checkboxes saying that they are agreeing to be on your mailing list.
1.1 If the people on your mailing list gave consent in the past do you need to seek it again?
You do, only if the consent provided was not in accordance with the GDPR guidelines and if the reason for having the data falls within the GDPR consent requirements.
In such an instance, on my analysis – you do not need to seek consent once again. However, I am happy from GDPR experts who can tell me that I am wrong – so please get in touch to confirm or deny my interpretation.
2. You must explain how data will be used
You are not allowed to collect data without explaining how you are going to use it. Clearly this is related to point 1; i.e. if they register for your newsletter you tell them you will be sending them your newsletter; if they register for your webinar you deliver your webinar.
Unless you have specifically said you are collecting their data to share it to a third party or to market specific services or products – that is not something you can do. Each of these activities requires separate active consent.
3. You can only collect the data you need
You are only allowed to collect the minimum amount of data for your purpose. If your purpose does not require a physical address you can’t collect that data; if your purpose does not require an individuals age you can’t collect their age.
4. You can’t keep data indefinitely
You should not keep data about people forever if here is no reason to keep it. If you have no reason to keep data you must delete it.
5. You must protect the data you collect
You have to take reasonable steps to protect the data you collect. This means that when you are collecting or storing information on your website you should provide a secure connection and data should be stored behind a secure wall (e.g. password collected).
I am not a lawyer or a legal expert on the GDPR; so please do not take the information provided above as the gospel truth. However, I recognise that this is a topic causing a lot of stress for the people in organisations I work with – so I have attempted to summarise and clarify my understanding in the clearest way I can. Hopefully I have got it correct and that there are people who will find this summary useful.
Contact me if you have any corrections about what I have written above and I will update this page.
Digital Access consultant