GDPR and The Looming ‘Deadline’ – What To Do First

Transcript of the Video

Good afternoon ladies and gentleman. Suzanne Dibble here, data protection, law expert. Coming to you raw and uncut on a bank holiday, Monday. What a glorious day it is, too.

Now I did actually do a video yesterday. I did two actually last night at 2 am, and then the things wouldn't ... they just refused to upload. So I'm still on my record. I've still done a video every day, but once I've sorted out why they won't upload then we'll add those as well.

But I just wanted to do a quick video today for those of you; I've had quite a lot of you emailing me to say, "Help! The deadlines only two weeks away. What should I be doing?" There's a mass of information in the group. I need to know what to focus on. So here’s my advice to you, my guidance to you, if you want to do the bare minimum between now and the 25th of May. And all is not lost. There's still plenty of time, so don't panic is the main thing to remember.

I'm just going to put my sunglasses on actually because I'm squinting away here. It's very bright.

So, first things first. Hopefully, you've worked out that GDPR does actually apply to you. That's the very first thing. If you haven't then go and watch my video on the territorial scope, but essentially if you are established in the EU then GDPR applies to all of your processing of all of your data. If you're not established in the EU but you intend to offer goods and services to people within the EU or you're targeting people within the EU, then GDPR applies to you. For more on that, go and watch the video on the territorial scope.

So that's the first thing. If you've decided it doesn't apply to you, happy days. You can ... Oh, hello. That's my little doggy. Hello. Hello, yes. I'm doing a little video.

So if it doesn't apply to you, happy days, go and put your feet up. If you have decided it applies to you then what do you need to do between now and the 25th of May, which is the date on which this thing comes into force.

Well, the very first thing is to get a really good sense of what data you are processing. So understand what personal data is. Understand what processing is. Both of them are wide. So, personal data includes any data that can identify a living individual. That could be just a name and an email address, for example. Processing extremely wide includes storing. I've had lots of people say to me, "Oh, but I'm not doing anything with the data. I'm just storing it." Well, unfortunately, that also counts as processing.

So do you data inventory. Now there is one in my pack. Details of that are in the pin post if you haven't yet purchased that.

But the very first thing, data inventory. What data are you holding? What are you doing with it? What are the purposes of what you're doing with it? Where are you transferring it to? Who's processing it for you? Etc. So there's a number of questions that you need to ask yourself about the data that you are processing. That's the very first step.

Once you've done that, and that's probably I'd say, the thrust. That's going to be the thing, which is more time consuming, to get a really good grip on the data that you're processing and what you're doing with it, where you're transferring it to etc. So that's the very first thing.

Then after that, you need to start thinking about a couple of key documents before the 25th of May. Now, in this video I'm assuming that you don't have employees; otherwise, I'm hoping that you would have got around to looking at this a lot earlier. So really we're thinking about what we need to do by the 25th of May, in terms of non-employees. Well, a lot of it is going to be around putting your privacy policy in place and getting fresh consent from your list if you need to do that.

With getting fresh consent from list, if you already have a GDPR standard of consent to sending them marketing emails, well not just marketing emails, but to processing their data generally, if you have decided that consent is the lawful ground of processing then you need to get that fresh consent before the 25th of May.

So first, don't be confused into thinking that GDPR is all about consent, because it isn't. And if you haven't watched the overview video, or the marketing video then go and have a look at what are the lawful grounds of processing, and also the data protection principles. That's two really key areas of what you need to know about GDPR. And it will take you 15, 20 minutes to get a good overview of that.

Consent is just one of those lawful grounds of processing, but if you've decided that's what you need in order to process for your marketing emails and you don't have a GDPR standard of consent already then you need to get that fresh consent before the 25th of May. Now you'll need to send an email to those people on your list and say, "Here's my new privacy policy, and can you consent to me sending you marketing emails?" Now there's a suggested email in my pack. So if you bought that you can go and use that email.

Now, remember, it might take more than one try to get people to opt-in. People are getting a lot of these emails at the moment, and you don't just have one bite at the cherry. So if you can have a re-engagement campaign before the 25th of May that's getting people excited about saying yes to receiving your marketing emails going forwards, then fantastic. If you leave it until the 24th of May and just send one email, chances are not many people are going to click on that.

Sorry, just giving my hand a rest. I have no got a ... I've not got a ...I'm going to have to hold this hand out. I've not got a stand out here. What are those things called? Tripod. I have not got a tripod out here.

So that's something to think about, really as soon as you can, is working out your lawful ground of process, and if you're relying on consent for marketing emails, and you haven't got your GDPR standard of consent then you need to start thinking about that, certainly within the next week I would say, because post the 25th of May if you don't have that consent and there isn't another lawful ground of processing then you can no longer do that processing. I.e., you can no longer send those marketing email.

I've done lots and lots of videos on this in the group, particularly in the context of ... Well, two things really. One is the refreshing of consent, the other is going forward in terms of the consent that you need for things like lead magnets. So do go and watch those videos if you haven't. If you haven't discovered it yet there is a list of all of my videos in the file section of the Facebook group. So you can scan down that quite quickly, see the title, see the relevant video, and then just click on the link to watch it. So don't feel that you need to watch all of the videos. I think if you did you would go a little bit mad, and you certainly won't really have the time to do that and take it all in and work out what you need to do before the 25th of May.

So that's the first thing, work out do you need fresh consent or not. Now even if you don't need fresh consent, maybe you've decided that your lawful ground of processing is legitimate interests, and under PECR you're relying on the soft opt-in, for example. Maybe because these are existing customers that you're sending marketing emails to, then you still need to send them an email advising them of your new privacy policy with the link to the privacy policy and advising them, well reminding them of the fact that they can opt out at any time.

Actually, I've just today, I'm adding to the pack an email that is that type of email. So it's an opt-out email, rather than an opt-in email that's also in the pack. So then check that out.

Before actually, before you send that email you obviously need to have completed your privacy policy, and the data inventory will inform what you put in that privacy policy. So actually, once you've done the exercise of the data inventory putting in place your privacy policy is actually quite easy because you're just getting ... You're looking at your data inventory and pretty much transposing that over into the template. Now obviously there's a privacy policy in my pack, so if you don't have one of those then, again, you can get that from there. There are two different types. One is where you're collecting data through your website, the other is for offline data collection. So there are those two types in there for you.

So, obviously you need to have your privacy policy complete before you send either of those emails, the one asking for opt-in consent, or the other one advising of the privacy notice and reminding of the right to opt-out. And I say that needs to be done by the 25th of May.

So that's really the main thing that you need to be thinking about before the 25th of May. Certainly, the Information Commissioner’s Office in the UK has said that the... It's not like ... I've always said this, there's not a big guillotine going to fall from the sky and any slight noncompliance is going to result in a fine or any other kind of consequence for you. It's a case of working towards compliance, but I think those things that I've mentioned that would be very wise to do before the 25th of May.

So the rest ... Yes, of course, we need to work towards compliance on the rest of the issues, but if I had to name the top three things that if I had limited time between now and the 25th of May that I would be doing, those are my top three. It's getting your data inventory sorted. It's getting your privacy policy in place, and it is sending out that email saying ... I haven't got my ... Well, you don't say it. There are so many words, but effectively you haven't got your GDPR standard of consent so you're asking people to opt-in to your marketing emails, or on the other hand if you don't need to do that for the reasons I mentioned before and you're advising of your new privacy policy and remind of the right opt-out, then those emails you need to be thinking about sending before the 25th of May.

Okay. I'm going to ... Dear me. I'm going to end it there because my muscles have clearly not been working out enough because my muscles are giving way now just from holding the camera like that for ten minutes. So I'm going to end it there.

So I hope that helps those of you who are feeling slightly panicked now by the looming deadline. Please don't panic. Remember that certainly, the ICO in the UK has said it works with a carrot more than the stick, so as long as you are taking steps to compliance, in my view, you'll be absolutely fine.

So that's it. I'm off to Dubrovnik tomorrow. Actually with my ... Oh, dear. I'm going to have to rest my arm there ... with my other business, so I'm going to be pretty much out of action all of this week. I'm still going to be finding time to be doing a video a day though, because that was my commitment. So I'll be filming the videos from the beautiful Dubrovnik, in Croatia. For those of you who've been, you know it's absolutely stunning destination. So I'll be very happy to be there.

So you're in good hands with the support team who are all back after the bank holiday weekend tomorrow. So I'm confident that they will continue to look after you. And Veronica, who has been such a huge, huge help in all of this, will be still maintaining a very regular presence in the Facebook group.

So thanks to all of you. I hope you've all had a wonderful weekend whatever you've been up to, and I will be saying hello from Dubrovnik tomorrow.