GDPR – 12 months to go, 12 things to think about (Part 2 of 4)

With less than a year to go to be ready for GDPR, here are three more of the 12 things you might want to be thinking about.

In Part 1, we covered raising awareness, data audits and privacy notices.

4.    Individuals’ Rights

Just ‘getting ready’ for GDPR is not going to be good enough because you may also have to prove to the regulator that you are ready for GDPR. One critical proof point will be the decisions you make in getting ready for GDPR, as well as what you will do going forward after its implementation. Get in the habit now of documenting all of your decisions and the deliberations that went into them (more on this under the Protection by Design section). You will also have clearly defined and documented policies and procedures to comply with GDPR. These cannot be the kind of documents that are written and then live in a cupboard just in case something goes wrong, but rather they need to be distributed to staff in a useful format with comparable training so that the processes become habit within your organisation.

One area that is very well suited to this is protecting individuals’ rights. Most of the rights under GDPR are not that different than under the DPA, but now is a good time to ensure that you have your documentation in order. It is also a good time to ensure that your procedures will be compliant around things like correcting data and subject access requests.

5.    Subject Access Requests

While we are on the topic of Subject Access requests, these are changing under GDPR. First, the down side; you will no longer be able to charge for these and you will have to reply within 30 rather than 40 days. You will also have to provide some metadata along with the data subject’s own data, such as your data retention periods and many of the other things covered under the notices provision.

The good news is that you can charge for or refuse excessive requests (too frequent) and you can ask the data subject to specify the data they are looking for if you process large amounts of data. You will also be able to provide the data electronically in many cases.

6.    Legal Basis

Under the GDPR, the legal basis for processing data is all-important because individuals’ rights can change depending on the legal basis you determine for processing the data. It will be important for businesses to balance the requirements of consent and the legitimate interests that the GDPR provides for. The other legal basis that many email marketers will rely on is processing the data with the subject’s consent.

That puts us half way through the twelve things you should be thinking about to prepare for GDPR. Check out part 3.

Editor’s note: The materials and information above is not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.

The Holiday Hub: deliver emails with impact this holiday season

Like the 2020 holiday season, 2021 will present some unknowns that marketers will need to adapt to, but there are plenty of things we do know that can help us prepare for the upcoming busy period that…

Update: EU Standard Contractual Clauses

On Friday 4th June 2021, the European Commission published finalized versions of new Standard Contractual Clauses (SCCs).  What are Standard Contractual Clauses? Standard Contract Clauses have been around for a long time and are used by companies…

A successful return to live UK events

In March 2020, we – like many other businesses – made the transition from live to virtual events. Committed to providing valuable educational content to our clients, we adapted. We never stopped engaging with you, starting interesting…