A Guide to Complying with the New GDPR Act

You may have heard about GDPR (General Data Protection Regulation) coming into force on 25th May 2018. It’s an expansion of the Data Protection Act and you need to take some steps to comply with it.

There are misconceptions about it circulating, in particular that you can only keep someone’s data with their express consent, which isn’t true and a lot of guidance that isn’t practical, in that it fails to tell you what to do or is unnecessarily alarming or excessive in what it advises you to do to comply.

This guide is designed to enable you to comply without devoting necessary time and expense to doing so and having regard to the fact that APA members are generally using data responsibly and the companies in the enforcement firing line – those this legislation is designed to control because they use data irresponsibly

Most of the data you hold on individuals will be their name, address, phone number and email. Most of those will be staff, people you employ on a freelance basis, people you have worked with in the past and prospects eg. agency and client staff you market to.

Getting opt-in consent i.e. consent that requires them to say that they are happy for you to hold that data, rather than telling them you will do so unless they opt out, isn’t practical.

The good news is that you don’t need that consent – you can continue to keep and use that data under the “Legitimate interests” provisions in the GDPR guidelines.

So if you identify a legitimate interest – and there will be different ones for the categories of people you will hold data on above and you hold data for a purpose that someone would reasonably expect them to hold it for eg. to market to them because you are a company of a type they buy services from or might reasonably be expected to do so – you may hold the data you need to do that (in most instances, name, address, phone number, email).

You should keep a record to show that you have considered what the legitimate interest is to demonstrate compliance if you are challenged.

The other basis that will allow you to hold some data without express consent that may help you is the Contract category – where you need to hold the data to fulfill your contractual obligations to them.

You also need to safeguard the data and report to any individual whose data is compromised.

You should also provide a notice as to the data you hold and why. Rather than put this on every email, we would recommend you put such notice on your website, possibly in your “About” section. This is a sample notice:

“We comply with the GDPR and any data held by us is held on the following basis provided in the GDPR, Legitimate Interest or Contract and is only such data- typically name, email, phone number and address- necessary for us to contact you. If you have any issues or object to us holding your data and would like us to delete it please email [INSERT EMAIL ADDRESS].”