BLACK FRIDAY AND CYBER MONDAY are the biggest retail opportunities of the year for UK businesses. This year is the first time when businesses need to consider the EU General Data Protection Regulation 2016 (GDPR) in their preparation for Cyber Week. We will be running a free GDPR Update Webinar on 2 November at 12:30 pm that you are invited to attend by registering here. In the meantime, this and the other blog posts in our GDPR and Cyber Week series should prove a useful resource.
GDPR came into force in May 2018 and, together with other applicable national legislation, regulates how businesses process personal data.
Here are a few tips to help you be more GDPR compliant in preparation for Cyber Week.
First of all, consider whether your business processes personal data of individuals based in the EU or processes personal data within the EU. Personal data is a widely defined term and includes any information that may identify an individual, including name, contact details, ID numbers, photographs and other similar information. If you have business dealings with customers and suppliers based in the EU or are yourself EU based, you will likely need to be GDPR compliant.
If your business processes personal data as described above (processing includes collecting, storing, disclosing, deleting and otherwise dealing with personal data), you will need to assess your business to make sure you are GDPR compliant in time for Cyber Week.
Being GDPR compliant includes having the right internal and external documents, as well as all the correct processes, in place.
Specifically for Cyber Week, some of the areas of your business’ GDPR compliance may include:
GDPR compliant consent language, where necessary
Consent is one of the 6 lawful bases for processing personal data and is often used for collecting personal data from individuals for marketing purposes or where you process special categories of data/ sensitive data, including medical information, political opinions, ethnic origins (often apparent from photos) and some other categories.
There are rules in place to ensure that your customers and other data subjects give their free consent and there is certain information that you will need to keep on file to make sure you have evidence of every individual’s consent.
You may want to target individuals in their professional capacity or otherwise using the legitimate interests basis (rather than consent) to market your products and services. However, where personal information is used on the basis of legitimate interests, it is essential to have the right internal and external documents outlining the 3 steps analysis to ensure that you have analysed the potential harm to individuals and are confident that the harm does not outweigh the benefit of the legitimate interests.
How long do you keep personal data for?
At the point of collecting personal data you will need to let individuals know about your retention periods, and, where it is a complex subject, have an internal Data Retention Policy in place too.
Any personal data collected and processed should be kept securely. Make sure you have a policy in place in relation to data security and a procedure for reporting any data breaches, should they occur. Data controllers have an obligation to report any data breach to the authorities within 72 hours of a breach occurring. There are potentially substantial fines which will be handed down by the Information Commissioner’s Office (ICO), in our recent article on getting prepared for Cyber Week we looked at some of the high profile cases which are coming down the pipe.
Sharing personal data with others
You will need to make sure that there are agreements in place with any parties that you are sharing personal data. This includes where they are mere data processors, such as where IT, human resources or accountancy services are provided, or where there is an external server owned by others that stores your customers’ personal data.
Data processors (parties that do not determine the means and purposes of processing) have to act strictly in accordance with the controller’s instructions. They must have appropriate security measures in place and have a number of other obligations, such as giving the controller an opportunity to object to any sub-processors being appointed.
GDPR is a complex subject but there is still enough time to become GDPR ready and compliant in time for this year’s Cyber Week to give your customers the confidence that you are taking data protection requirements seriously and will do what you can to keep their data safe and secure.
For a detailed analysis of your current compliance with GDPR and help with drafting any necessary documents, review of your emails and consent language in readiness for the Cyber Week, please contact us by entering an enquiry or call us today on 020 7148 1066.
How to get prepared
If you are not sure that you are fully GDPR compliant, LawBite is here to help with expert GDPR legal advice. Please get in touch with a member of the LawBite team to receive a 10% discount on our GDPR Rescue Pack including: 12 GDPR compliant templates and a 30-minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £445 + VAT. Please quote discount code CYBER10, valid until 26 November 11.59pm.
Our free GDPR Update Webinar on 2 November at 12:30 pm, that you are invited to attend by registering here, will also provide you with some expert data protection guidance and an opportunity to ask any questions that you might have during the Q&A.
The author of this article is expert LawBrief Alla Fairbrother. For further business legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.