Transcript of the Video
Good afternoon ladies and gentleman. Suzanne Dibble here, data protection, law expert. Coming to you raw and uncut on a bank holiday, Monday. What a glorious day it is, too.
Now I did actually do a video yesterday. I did two actually last night at 2 am, and then the things wouldn't ... they just refused to upload. So I'm still on my record. I've still done a video every day, but once I've sorted out why they won't upload then we'll add those as well.
But I just wanted to do a quick video today for those of you; I've had quite a lot of you emailing me to say, "Help! The deadlines only two weeks away. What should I be doing?" There's a mass of information in the group. I need to know what to focus on. So here’s my advice to you, my guidance to you, if you want to do the bare minimum between now and the 25th of May. And all is not lost. There's still plenty of time, so don't panic is the main thing to remember.
I'm just going to put my sunglasses on actually because I'm squinting away here. It's very bright.
So, first things first. Hopefully, you've worked out that GDPR does actually apply to you. That's the very first thing. If you haven't then go and watch my video on the territorial scope, but essentially if you are established in the EU then GDPR applies to all of your processing of all of your data. If you're not established in the EU but you intend to offer goods and services to people within the EU or you're targeting people within the EU, then GDPR applies to you. For more on that, go and watch the video on the territorial scope.
So that's the first thing. If you've decided it doesn't apply to you, happy days. You can ... Oh, hello. That's my little doggy. Hello. Hello, yes. I'm doing a little video.
So if it doesn't apply to you, happy days, go and put your feet up. If you have decided it applies to you then what do you need to do between now and the 25th of May, which is the date on which this thing comes into force.
Well, the very first thing is to get a really good sense of what data you are processing. So understand what personal data is. Understand what processing is. Both of them are wide. So, personal data includes any data that can identify a living individual. That could be just a name and an email address, for example. Processing extremely wide includes storing. I've had lots of people say to me, "Oh, but I'm not doing anything with the data. I'm just storing it." Well, unfortunately, that also counts as processing.
So do you data inventory. Now there is one in my pack. Details of that are in the pin post if you haven't yet purchased that.
But the very first thing, data inventory. What data are you holding? What are you doing with it? What are the purposes of what you're doing with it? Where are you transferring it to? Who's processing it for you? Etc. So there's a number of questions that you need to ask yourself about the data that you are processing. That's the very first step.
Once you've done that, and that's probably I'd say, the thrust. That's going to be the thing, which is more time consuming, to get a really good grip on the data that you're processing and what you're doing with it, where you're transferring it to etc. So that's the very first thing.
With getting fresh consent from list, if you already have a GDPR standard of consent to sending them marketing emails, well not just marketing emails, but to processing their data generally, if you have decided that consent is the lawful ground of processing then you need to get that fresh consent before the 25th of May.
So first, don't be confused into thinking that GDPR is all about consent, because it isn't. And if you haven't watched the overview video, or the marketing video then go and have a look at what are the lawful grounds of processing, and also the data protection principles. That's two really key areas of what you need to know about GDPR. And it will take you 15, 20 minutes to get a good overview of that.
Now, remember, it might take more than one try to get people to opt-in. People are getting a lot of these emails at the moment, and you don't just have one bite at the cherry. So if you can have a re-engagement campaign before the 25th of May that's getting people excited about saying yes to receiving your marketing emails going forwards, then fantastic. If you leave it until the 24th of May and just send one email, chances are not many people are going to click on that.
Sorry, just giving my hand a rest. I have no got a ... I've not got a ...I'm going to have to hold this hand out. I've not got a stand out here. What are those things called? Tripod. I have not got a tripod out here.
So that's something to think about, really as soon as you can, is working out your lawful ground of process, and if you're relying on consent for marketing emails, and you haven't got your GDPR standard of consent then you need to start thinking about that, certainly within the next week I would say, because post the 25th of May if you don't have that consent and there isn't another lawful ground of processing then you can no longer do that processing. I.e., you can no longer send those marketing email.
I've done lots and lots of videos on this in the group, particularly in the context of ... Well, two things really. One is the refreshing of consent, the other is going forward in terms of the consent that you need for things like lead magnets. So do go and watch those videos if you haven't. If you haven't discovered it yet there is a list of all of my videos in the file section of the Facebook group. So you can scan down that quite quickly, see the title, see the relevant video, and then just click on the link to watch it. So don't feel that you need to watch all of the videos. I think if you did you would go a little bit mad, and you certainly won't really have the time to do that and take it all in and work out what you need to do before the 25th of May.
Actually, I've just today, I'm adding to the pack an email that is that type of email. So it's an opt-out email, rather than an opt-in email that's also in the pack. So then check that out.
So that's really the main thing that you need to be thinking about before the 25th of May. Certainly, the Information Commissioner’s Office in the UK has said that the... It's not like ... I've always said this, there's not a big guillotine going to fall from the sky and any slight noncompliance is going to result in a fine or any other kind of consequence for you. It's a case of working towards compliance, but I think those things that I've mentioned that would be very wise to do before the 25th of May.
Okay. I'm going to ... Dear me. I'm going to end it there because my muscles have clearly not been working out enough because my muscles are giving way now just from holding the camera like that for ten minutes. So I'm going to end it there.
So I hope that helps those of you who are feeling slightly panicked now by the looming deadline. Please don't panic. Remember that certainly, the ICO in the UK has said it works with a carrot more than the stick, so as long as you are taking steps to compliance, in my view, you'll be absolutely fine.
So that's it. I'm off to Dubrovnik tomorrow. Actually with my ... Oh, dear. I'm going to have to rest my arm there ... with my other business, so I'm going to be pretty much out of action all of this week. I'm still going to be finding time to be doing a video a day though, because that was my commitment. So I'll be filming the videos from the beautiful Dubrovnik, in Croatia. For those of you who've been, you know it's absolutely stunning destination. So I'll be very happy to be there.
So you're in good hands with the support team who are all back after the bank holiday weekend tomorrow. So I'm confident that they will continue to look after you. And Veronica, who has been such a huge, huge help in all of this, will be still maintaining a very regular presence in the Facebook group.
So thanks to all of you. I hope you've all had a wonderful weekend whatever you've been up to, and I will be saying hello from Dubrovnik tomorrow.