As part of our commitment to providing resource support to our clients and business network we have been running a series of GDPR Webinars. Delivered by our data protection expert LawBriefs these Webinars have provided the opportunity for businesses of all types to inform themselves about the new regulation and to ask our LawBriefs specific questions during the Q&A sessions that followed the presentations.
Here, we have collated some of the answers which featured in the most common themes of:
- Consent (Opt-in)
- Third Party relationships
- GDPR for small businesses
Question 1: Is there any exact wording required regarding consent?
So, for example, if clients’ data will be transferred to countries outside of the EU or passed on to any third parties then this would need to be mentioned. You also have to keep records of how consent is taken, the date and the scope.
Question 2: How often do you need to ask people for consent to continue contacting them? (e.g. If you have an existing database of contacts)
LawBite: If you have evidence of receiving consent from people on an existing database, then that is fine. You need to know when consent was originally obtained. If you don’t have evidence of consent then you need to ask for a fresh opt-in. It is a risk that you will lose people from your database, but it is a necessary action to take. You should also include a link to your data privacy and processing policies.
Question 3: Should we update our NDAs with opt-in consent to store client data?
LawBite: Consent should be separate from other documents and not bundled in with general terms and conditions including NDAs. Depending on your circumstances, it may be possible to process personal data under the lawful basis of “Contract” where consent is not required. In this case you would need to document these specifics in your Data Protection policies and procedures.
Question 4: Under the GDPR is cold calling permitted?
LawBite: B2B cold calling may be fine to do as a legitimate business interest but you will need to have the right documentation in place internally to support this.
Question 5: Does GDPR also apply in B2B marketing, in which individuals are contacted via email or call?
LawBite: Yes, GDPR applies to B2B marketing. We advise that an opt-in is acquired for ALL subjects contacted. We also advise that you get an opt-in for all your potential marketing list customers.
Question 6: Do you need separate explicit consent from your contracted employees in order to process their data?
LawBite: It depends on the reasons for processing the data. When looking at employees’ data we generally advise that our clients rely as much as possible on the basis of contract. Where it is necessary for the employer to process data on the basis of the employer’s legitimate business you would need to present your employees with a privacy notice specifically for the processing of their data since the employee’s consent is not always considered freely given due to the unequal nature of the relationship.
We have documents and templates to help you with such a privacy notice, consent document and employment contract clauses. For any non-essential activities, such as investment schemes or health insurance the relevant data controller will need to obtain separate consent.
Question 7: If customers place orders over the phone by calling in could opt-in consent be gained verbally, or could the order confirmation email contain all the data details and an opt-in to marketing communication?
LawBite: You will not need permission to use personal data if it is used for processing orders. It is possible to obtain consent verbally, but you will need a robust process in place and keep evidence of the date, scope and method of consent.
Question 8: What would be considered evidence of a previous opt-in?
LawBite: Written records, such as emails, notes, process maps that would show each of the individuals opt-in date, how it was obtained and scope.
Question 10: We send customer contact and address information to third party suppliers to supply certain products, would our customers need to give consent for us to give this information over, what would we require from the 3rd party?
LawBite: This is an example of where you can rely on the agreed contract because using this supplier is the method by which you fulfill your client orders, so you wouldn’t need separate consent in this type of situation. It would be necessary to determine if your supplier is a data processor or controller. We can help you with the right wording to use and with a suitable contract for your 3rd party suppliers. You will need this to be in place with your supplier.
Question 11: Is an external accountancy firm (which does a company’s payroll) classified as a data processor? If so, do we need to have a signed data processor contract or just confirmation that they are GDPR compliant?
LawBite: Yes, they are likely to be classed as a data processor. You do need to have GDPR compliant clauses in your contracts with them. You also need to have additional language in your agreements or a separate data processing agreement to ensure that you are GDPR compliant.
Question 12: If we use a third party for creating invoices do we have to inform clients about this third-party relationship? Who has responsibility for data protection compliance us or the third party?
Question 13: Will GDPR also apply to small businesses?
LawBite: GDPR is enforceable for any business that processes personal data. You must have your internal documents (such as data protection policy, data retention policy and IT security policy) and external documents (privacy and cookies policy) in place even if you are a small business.
Question 14: I was just wondering what would be sufficient security measures for a sole trader?
LawBite: The GDPR is not very specific about security measures. You should think about the data you’re processing and how it affects individuals. Also think about your premises, passwords and encryption. Do you use reputable suppliers for data storage and what kind of security measures do they have?
Question 15: Do you still need GDPR if you are a very small organisation made up of only 3 people and do not do any e-commerce and are only B2B?
LawBite: Yes, you still need to address GDPR as you are still likely to process personal data. Even if it’s just to comply with your contractual requirements or order processing you still need internal documentation to cover how you handle data.
You need to think about whether your organisation collects and/or processes any personal data that could identify an individual. If you collect and process your customers’ or their employees’ names, surnames, addresses, etc. then that is personal data. It may be that your documents would be not as lengthy as those of larger companies processing large amounts of data but are still definitely required.
As a service provider do we need to list each third party we deal with? This is part of our IP and could be detrimental to the business.
As a data controller you would typically specify all third parties with who you deal in your privacy notice. As a processor you would need to present the list to your controller to give an opportunity to object to sub-processors.
We really hope you have found the above useful but please feel free to contact us for data protection legal advice, either by calling our GDPR team directly on 0845 241 1843 or by sending us an email with any questions you may have. Only two weeks to go until the compliance deadline and we’re here to help!
Information provided during the webinar and in this document is indicative only and does not constitute legal advice. Please contact us for specific legal advice tailored to your business.