General Data Protection Regulation (GDPR) replaces the Data Protection Act on 25 May 2018. It is a pivotal piece of EU regulation which will be affecting every UK business for as long as we will remain in the EU (at least a year) and then it has been confirmed that it will be included in British Law.
One of the most frequently asked questions I am asked about GDPR is how small businesses process their leads. Small businesses collect tons of business card at Networking Events, surely if someone elected to give me a business card, that means he wants to hear from me again right?
Let me just say first that I feel like it is a horrible business practice to do so. By sharing a business card with you someone gave you a permission to contact you, but not necessary for marketing purposes. I wouldn’t blame to guy if he felt like he is being spammed.
GDPR in Article 6 defines that legal basis under which an organization can process data includes consent of the “data subject” which needs to be recorded. Article 9 further reiterates the need for “explicit” consent of the data subject is needed to lawfully process personal information. Therefore, before you can “just quickly add someone’s information” to your mailing list you must ensure that:
• You have a record of their permission to use the data they gave you for the purpose you intend to use them (verbal: give me a call in a few days doesn’t’ mean include me in your marketing list).
• They have a quick way of withdrawing they consent should they decide to do so
• The consent must be separate from normal “terms and conditions” and must be given in an affirmative action (no pre-ticked boxes etc)
You, therefore, a dear reader should exercise caution before you decide to process any personal data.