Let's start a new Adventure...

Fill in your details below and let us know how we can help you. We’ll be in touch as fast as we can!

We take your privacy seriously and will never pass your details on to third parties. When you contact us we will store your personal details to contact you and to email you updates and offers from time to time in the future.

Are you taking GDPR too far (especially at Christmas)?

Are you misunderstanding GDPR?

We’ve talked a lot about the ethos of GDPR and how its not supposed to scare people or be a killjoy.  At it’s heart, GDPR is about balance, honesty, transparency & respect, even in the festive season!

In response to the joke that’s doing the rounds about Santa’s naughty and nice list contravening GDPR Steve Wood, Deputy Commissioner for Policy at the  Information Commissioner’s Office (ICO) has published an enlightening article in this months ICO newsletter. He talks about GDPR and Christmas and what happens when people misunderstand the regulations.

In the first few months of GDPR, we were contacted by quite a few clients concerned about what they could or couldn’t do under GDPR. Could they still send clients a birthday card? Could they post photos of team events? Could they tell their suppliers their clients address?

The thing to remember is that you do not always need a person’s consent to use their information and even more so, to run your business you will need to share personal data at times! GDPR is, of course, not trying to stop you earning a living or make you robotic and unconnected in your communications with your audience. It just wants you to consider how you use this data, how you inform your data subjects and how you protect it while you are using it.

Steve Wood uses the example of sharing data to organise your school’s Christmas Fayre to contact members of the PTA and the volunteers. There has been an assumption that you are unable to do this because you don’t have consent or you’d have to go through a laborious ‘consentual‘ process with everyone involved with the PTA to be able to do so. Steve explains,

“In short, you don’t always need consent to comply with GDPR – it is not the only lawful basis on which you can use someone’s personal information. For example, in this case, the school or PTA had a legitimate interest in being able to contact parents and volunteers.”

The legitimate interest being that have they expressed an interest in the Christmas Fayre and that without contacting them how can you organise the Fayre in the first place? What you may want to draw from GDPR is how you respectfully handle their data. For example, using BCC on emails so that there email remains private from others. 

In the commerical world, you obviously have to give GDPR due care and attention. For example, if you are sending a genuine Christmas card to established clients then, of course, you don’t need consent. If however, your Christmas card is combined with some kind of direct marketing then you will need to consider; do I have consent to contact this client/prospective client in this way? If you don’t have consent, do you have a clear reason to send the card and will the recipient understand why they have received something from you? ( you have a legitimate interes).

As Steve says,

“…it is all about proportionality, balance and reasonable expectations.”

This is at the heart of GDPR. Balancing business needs with data protection. If you can always answer the question “Why are you using this data?” you will be on your way to a GDPR mindset!

Don’t forget anything you’re not sure of drop us a line. Penny’s happy to help anytime.

In the meantime, enjoy the festive build up!

You can read the full article here:

Share this post