We’ve talked a lot about the ethos of GDPR and how its not supposed to scare people or be a killjoy. At it’s heart, GDPR is about balance, honesty, transparency & respect, even in the festive season!
In response to the joke that’s doing the rounds about Santa’s naughty and nice list contravening GDPR Steve Wood, Deputy Commissioner for Policy at the Information Commissioner’s Office (ICO) has published an enlightening article in this months ICO newsletter. He talks about GDPR and Christmas and what happens when people misunderstand the regulations.
In the first few months of GDPR, we were contacted by quite a few clients concerned about what they could or couldn’t do under GDPR. Could they still send clients a birthday card? Could they post photos of team events? Could they tell their suppliers their clients address?
The thing to remember is that you do not always need a person’s consent to use their information and even more so, to run your business you will need to share personal data at times! GDPR is, of course, not trying to stop you earning a living or make you robotic and unconnected in your communications with your audience. It just wants you to consider how you use this data, how you inform your data subjects and how you protect it while you are using it.
Steve Wood uses the example of sharing data to organise your school’s Christmas Fayre to contact members of the PTA and the volunteers. There has been an assumption that you are unable to do this because you don’t have consent or you’d have to go through a laborious ‘
“In short, you don’t always need consent to comply with GDPR – it is not the only lawful basis on which you can use someone’s personal information. For example, in this case, the school or PTA had a legitimate interest in being able to contact parents and volunteers.”
The legitimate interest being that have they expressed an interest in the Christmas Fayre and that without contacting them how can you
In the commerical world, you obviously have to give GDPR due care and attention. For example, if you are sending a genuine Christmas card to established clients then, of course, you don’t need consent. If however, your Christmas card is combined with some kind of direct marketing then you will need to consider; do I have consent to contact this client/prospective client in this way? If you don’t have consent, do you have a clear reason to send the card and will the recipient understand why they have received something from you? (i.e.do you have a legitimate interes).
As Steve says,
“…it is all about proportionality, balance and reasonable expectations.”
This is at the heart of GDPR. Balancing business needs with data protection. If you can always answer the question “Why are you using this data?” you will be on your way to a GDPR mindset!
Don’t forget anything you’re not sure of
In the meantime, enjoy the festive build up!
You can read the full article here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/sleigh-ing-the-christmas-gdpr-myths/