GDPR – Q&A

Transcript of the Video

Hello everybody Suzanne Dibble here, data protection law expert coming to you live, doing live Q and As every day this week but possibly not Friday, depending on... Well, I have to see what I can dig about. Oh, Morgan, you've got in super quick there, well done. A very quick question. Yes, the quicker you get in, the more certainty you have of me answering your questions. Welcome, welcome, sorry I'm a little bit late. My A Car Dayman was late and I had to put my ice creams in the freezer, so sorry for starting a couple minutes late. Welcome, welcome to all of those who are joining. Let me grab my iPad so I can go through your questions on there.

Okay, welcome everyone who's joining. Welcome, welcome, welcome, and got some questions already. Obviously, the ones who were on the other Facebook live and saw how many questions we got and thought better getting quick with the questions, so I shall crack on. We've got an hour, so we'll see how much we can get through. Okay. Morgan, hello Morgan, well done for getting in there first. What do we do in the case of US processes... Oh before I start actually, I just want to say if any new members are in the group, I try and at least watch the overview training before you come on these Facebook live Q and As because just getting the questions out of context might confuse you.

Always, I think, really, try to set aside a bit of time to go into the pin post and watch the overview video before you come on these live Q and As because otherwise, you won't know what we're talking about and you'll get a bit panicked because you'll think how does that apply to me. Chances are, it doesn't apply to you, so go watch the overview video, work out what applies to you, and then you can listen in to these Q and As if you want to listen to the answers, work out and also bring your own question.

Yeah, good to have an overview as to what's going on before you get into this because if you hear this question, what US processes and privacy shield and blah, blah, blah, you'll be like oh my God, I don't know what this is all about, so go and watch the overview training first, right. Okay, so "What do we do in the case of US processors who are in review with privacy shield and waiting to be approved? Can we continue to use them after the 25th of May if their privacy shield status has not been confirmed by then? We have one processor who has not updated their T’s and C’s or privacy policy but says they are in review and we have a second processor who has updated their policies and says they are in review."

Okay, so the letter of the law says is that as data controllers, we can only use data processors who are GDPR compliant and if we are transferring data internationally, that we need to have certain safeguards in place. However, the reality of enforcement and the letter of the law are often different things, so I think your real question is, “what is the risk of anything bad happening if you continue to use them”. In my view, not very much is going to happen in that space for however long that they are in review with privacy shield. Obviously, they're taking data protection seriously; they're working towards being privacy shield certified.

If anyone does come investigating you, I'd be quite comfortable to say with asked all the right questions, they've given us these assurances that they are working towards privacy shield status and yeah, I'm sure that would be absolutely fine. I think what we absolutely shouldn't be doing is knee-jerk reactions and thinking oh my goodness I've got to switch my business to another processor on Friday if they're not compliant or part of the privacy shield by that time.

I think if they're clearly working towards it and they've given you assurances that they are, then personally, I would be absolutely fine with that and confident that if a regulatory authority did come knocking that you would have taken the steps that you needed to take whilst we're in this transitional period. Okay Adam, hello Adam, nice to see you. "If we install a security plug-in on our client's website Wordfence which uses IP addresses for security monitoring and we use the email notifications from this and have access to the website, are we a processor or is it the client's responsibility?" Okay, so if you say you're using the email notifications, then that is personal data.

I don't exactly understand how that all works Adam, being honest, but if you're using the emails and I think even if you have access at some point, even with having access, there's a reason why you've got access, isn't there? I think that in all likelihood you are a processor and Wordfence is the sub-processor. If you've got the contract with Wordfence, yeah. If it goes client contract to you Adam and then you're contracting with Wordfence, then they're your sub-processor. If Wordfence has got the direct client contract with the client, then they're a direct processor for your client.

It's the client's responsibility to make sure that both of you add them as a processor and Wordfence if they've got that direct relationship with Wordfence, it's their responsibility to make sure that you and Wordfence are GDPR compliant. Verity says, "Thank you so much for doing these." You're very welcome Verity, thank you so much for thanking me, makes it all very worthwhile when you get nice people you saying that. "As a church, our members make and vote on all decisions. The only information we hold on them is freely given verbally, but from what I can figure out, that won't count as a GDPR standard of consent. I believe we can use legitimate interest, but I'm still confused as we use information within what our members would expect.

Does the fact that it's a membership change anything?" Okay, so the first thing to know is that you need to decide what is your lawful ground of processing for that data. You need to think about what's the purpose, why are you collecting that data, and then go through the six grounds of processing and see which of those it's likely to be. You've not told me much about what you're doing with that data, but it's probably going to be something between consent and legitimate interests. Now, the second thing is that consent can be orally given, so you can have a GDPR standard of consent that is all really given. You just have to make sure that you keep a record of that consent, and again Verity it's a risk analysis as with everything.

I think if you are treating that data fairly and with respect and in a way that your members would expect you to, then you're not going to have any issues, okay. Claire says, "If we get a photographer to take pictures at a B2B event that we're running, would they be the processor and need to supply us with a processor agreement?" Good question Claire. Haven't thought of that one and so with photographs, photographs that identify individuals can be personal data. Now let's think about it. The photographer, yeah I mean I suppose in theory, in theory, the photographer is processing that data under your instructions and in theory, yes, but goodness me, can you imagine ... Well, I could just can't imagine if you send the processor agreement to a photographer and say we need to sign this.

I mean when you think about it in this level of detail, the number of potential processes out there who you would, in theory need, to have processor terms with is it's very wide, isn't it really? I'm sure that when the legislators were writing this legislation, they really didn't anticipate it applying in those instances, but really the processor agreement and passing on that contractual chain of protection is to secure the data because there's no point protecting the data whilst it's with the data controller and not having any protections in place when it's with the data processor. Yes, I mean according to the letter of the law, then yes you would have to have the processor terms in place, which makes it interesting, doesn't it, really?

Again, risk analysis exercise, there isn't a big data protection police force that's going to go around checking that every single processor has these terms in place, but what you want to think about is if there is some kind of breach and there is a potential investigation, then if you don't have it in place, then that's when there's an issue, isn't there? You need to think how likely is it that there's going to be any problem. I think the worst case scenario there is, the photographer that you've engaged loses that... Maybe he's taken some compromising photos or something, I don't know. Does that kind of thing go on at a B2B business event? I don't know.

Take some compromising photos, maybe unintentionally loses the memory stick because he hasn't got sufficient security in place to protect those photos, and then this question is asked. I mean I think that's very, very remote, isn't it? Again, risk analysis for you. I'm telling you what the law says whether you actually choose to put a processor agreement in place with those photographers is for you to decide.

Cassandra says, "So glad you're doing these calls." Well, I had an inspiration Cassandra, on Monday. I managed to get a… really, and it was a beautiful day, and I was listening to Wayne Dyer and I can't remember which one of it, it was, and it was talking about inspiration, and I was just inspired. I thought how can I best help people in this run-up to GDPR, and so I was inspired to do these calls, so I'm glad if it's helping you in a small way, then I'm really glad about that. Hi Eunice, hi Sharon. Rebecca says, "Hello." Hello Rebecca. "If a company has a database of freelance suppliers that they use on an ad-hoc basis, is the most appropriate lawful basis for keeping their personal data contractual or legitimate interests?"

Well, I'm guessing even if it's an ad-hoc basis, there's still a contract there Rebecca, so it would be contractual. "Would the fact that some of them trade as limited companies mean that the contract wouldn't be suitable because the individual isn't a party to the contract?" No, it would still be suitable and the individual will be an employee of the limited company, so will be for GDPR purposes, it's the legal entity that we're worried about. The fact that they are an individual, there's an individual within a corporate doesn't change anything. You can still rely on contractual grounds of processing there.

Victoria says, "Hi Suzanne I don't have a mailing list or a newsletter, but I have current client info which I need to do my job. What do I need to do to comply with the new rules?" Okay, well that's a bit of a broad question that takes me about an hour to answer the Victoria, so I can't tell you that. If you go and watch the ... I did a video for I think it's called GDPR for very small companies I think. If you go into the file section of my Facebook group, there's a list of all the videos that I've done with links to those videos. If you scroll down there or maybe use a search facility and then GDPR for very small businesses, that will give you good pointers as to what you need to do.

Deb says, "Re-opt-in on the website, I've put the statement on your document on my website. Do I need a tick box for email marketing too?" Not sure which statement on my document Deb, so you're going to need to be a bit more specific on that so that I can answer that question. If you're talking about the privacy notice, then yes chances are you will need a tick box for email marketing and there's a couple of things... Actually, I think the best place to look now if you're a person that likes written word rather than video, if you haven't watched my marketing overview and you're a video person, then go and watch that. That's in if you look in the pinned post of my Facebook group, there's a link to the marketing video.

There's also transcript there now as well actually for those of you who prefer just scanning through it. There's also a fantastic blog that optimized press put together using my materials and that talks you through all the things you need to think about in terms of opt-ins and email marketing. Laurence says, "Just tuned in. Will UK businesses have to comply with GDPR after Brexit?" Yes, we are putting into place the data... It's now in the moment the data protection bill is going through Parliament, that will become our new Data Protection Act which essentially reflects GDPR but with some derogations. The UK government is very keen to ensure that there will be a free flow of data through Europe, from the UK to Europe so that's why we're essentially agreeing to GDPR.

Alexandra says, "Is consent required for offer reminders that a quote is still valid sent to prospects?" No, I would have thought you would still be okay under the contractual ground, so let us just remind ourselves what that says. The six lawful grounds of processing: the contractual ground is the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. I think if you've sent them a quote and you haven't heard, I think it would be quite reasonable to check that it hasn't gone into their spam box or they haven't seen it or whatever, so I think you'd be okay on that.

Obviously, if you're sending them five emails saying it's still valid until whatever and they've not got back to you, then that would be a bit of a different matter. Deb says, "A bit confused about the Facebook pixel. I use this to my privacy policy, is it also classed as a cookie?" Yes, it is a cookie. "Do you need to edit the cookie policy?" Yes, but I think we're pretty sure that the wording that's already in there covers that. Annie Rowley, hello Annie is my husband's mother's cousin. I think, is that right Annie? Annie wins a super successful marketing agency and has the best B and B in the whole of Hartford called one something. Can't remember what it's called now, but it's I'll post a link for anyone who's interested.

It's an amazing B and B in Hartford, won all kinds of awards, right. Barbara says ... Oh no, have I missed some? Hang on. Cassandra says, "My GDPR VAs all fell through for various reasons, so now I have three days to get this done. My question, I'm a practitioner and my list is 99% of people who've had sessions with me, and a few who have talked with me to ask questions. They signed up for my clinic and event updates and videos to support their health journey with m. Do this fall under legitimate interest and I just need to send them my privacy policy update and an unsubscribe option? Can you advise me on this?" No, Cassandra, I can't advise you. I can give you guidance on it and educate you on what the law is, but just be clear, it's not legal advice.

Okay. Yeah, so if you have existing customers and you're emailing them about something very similar to what they've already either bought or been in touch with you about, then yes legitimate interest should be fine. Under PECR if you're in the year, you remember PECR is the legislation that works in tandem with GDPR and it says that we need to have prior consent for unlisted marketing emails to individuals unless the soft opt-in applies and if you look in, I've done a number of videos on the soft opt-in and there's also in the file section, there's a re-consent checklist and in there is the soft opt-in and set out in there. Yes Cassandra, just check on that soft opt-in to make sure that you fall within that. If you do, then you could rely on legitimate interests.

Okay Alice says, "What happens when someone orders a custom order as a gift for someone, say someone orders an anniversary frame from me for their parents, so I have their details given to me, first names and wedding date, but what happens if the customer says I can share the finished product on my social media page, is that consent okay as it's not their own personal data but it's in their order?" Okay, I think the first question Alice asked is, whether you can identify those people from that data. If it's just first names and wedding date, then that's going to be quite hard to identify them, although saying that, I said that about something else and someone came up with this amazing new technology that let people do something to identify that person.

Again, Alice, I think about the risk here. If it's the children and they are saying yes it's fine to post that on social media, then what are the chances of anything at all bad happening to you. Not very much, is it? We could sit and theorize about whether that is or is not all the different ways that GDPR affects that but in reality, is anyone actually going to be bothered about it if you've got the consent from the person who's actually ordered it? Barbara says, "I've watched various videos on this topic. I'd your perspective on this question Suzanne.

If a trainer is travelling and has a personal data on his or her laptop, does that mean that he or she needs to sign the model contractual clauses as a processor, even though they may not be accessing that particular data in a third country such as the US or countries covered in the 12 countries that have the adequacy finding? I'm feeling they should but wonder if it's over the top. We're working with about 20 trainers." Okay, so I'm trying to work out the chain of events here and where people are. They may not be accessing that particular data in a third country. Mm-hmm (affirmative). I think Barbara, my feeling is, this is over the top.

Here's an example. If a trainer or a freelancer that is typically within the EU and they are traveling outside of the EU or EA, does that count as an international transfer of data. Now, to be honest, I don't actually know the answer to that, I've never been asked it before but in reality, if we think of what is... Those trainers, if they are established within the EU, will be subject to GDPR and will have to keep the data secure and all the rest of it, but I'm curious now to see what the actual wording is about transfers. Where is it?

Any transfer of data which are undergoing processing or are intended for processing after transfer to a third country shall take place only if the conditions laid down in this chapter are complied with, and then it talks about adequate levels of protection, etcetera. I mean yeah transfer to a third country. I don't know, I haven't read anything about that specifically, but my view would be if the trainer or the organization, if they are subject to GDPR, then the fact that there may be on holiday for a week and are doing a bit of stuff while they're on holiday, I wouldn't be certainly wouldn't be walking out the model clauses just for that. Again, risk analysis here.

Yeah Barbara, personally I'd make sure that I've got processor agreements in place with the processes because you have to do that wherever they're based, whether they're inside of the EEA or outside. I'd absolutely have that in place and if you've got processors who are established outside of the EEA, then I would absolutely have the model clauses in place or some alternative safeguard. In terms of people who were for temporary time transitory, I wouldn't look at doing anything on that. That's my own personal view of the risk analysis there, you can choose your own.

David says, "This is a lovely video broadcast." Well, thank you, David. We all didn't know that GDPR could be so exciting, did we, really? It's the legal topic that keeps on giving. David is an executive coach and life coach. "I've got a lot of non-digital data AJ client records, progress notes, etcetera as clients often come back even up to three years later. I haven't been able to get in touch with them all regarding this data, I take it and I have to destroy these records." Okay, so the first question to ask yourself, David, is why are you keeping that data if you don't have a lawful ground of processing it or you just don't need it, then yes you should delete it.

If they are past clients, then I'd be thinking about what you need if there is ... Let's hope there's not, but if there is a contractual claim down the line, the statute of limitation is six years. You also might need to keep certain records for insurance purposes, so make sure that you keep what you need to keep. If it notes that you really don't need, then yeah I would just destroy them. Data minimization is a principle of GDPR. It means not keeping more data than is necessary for what you've told people that you're going to do with it. If you need it for the legal reasons or an insurance or things like that, then keep it. Keep it secure, keep it in the locked file cabinet.

Also, remember they're actually with GDPR and offline data... Oh heck, sorry about that. Just caught my sleeve on the headphone there. Remember that with GDPR it is only data that is... Let me get you the word. It's only processing a personal data wholly or partly by automated means and processing other than by automated means which form part of a filing system or are intended to form parts of a filing system. I'm guessing David that you've got all of these notes in files and stuff. If you don't, then it's okay, although I’ll just destroy it anyway to be safe. Yeah, so make sure that if you do need to keep it for legal or insurance purposes or some other reason, then keep it. If you don't, get rid of it and obviously dispose of it securely.

Also, the other thing David just to throw in there is, make sure it's personal data. If it's progress notes, it might not necessarily be personal data, if there's nothing in there that actually identifies that person, unless it's got the name on each page or something that. Carlo says, "Can we still order traffic from solo ad vendors?" Yeah, okay.  I know what you mean, but trying to actually express that in my non-technical terms is a bit tricky. Yeah, when you're any collection of data which is not coming directly to you. You need to think about really carefully and think about what are those people telling those people who were signing up with them, okay.

If you're buying lists or if you're to say ordering traffic from solo ad vendors, then you need to make sure that they are GDPR compliant and that they've been upfront with people about what they're doing with that data, so that's the main consideration that you've got there. Anya says, "In business taking a medical history in order to carry out a treatment in writing down medical notes following the treatment, at what point did the patients have to consent in writing verbally at every treatment?"

Well, I would have thought Anya that the practice itself will have an overarching privacy policy and consent document, so I wouldn't have thought that it would be at the point where you're writing down the medical notes following the treatment that you'd need any kind of extra consent. That should all be dealt with upfront when the practice is taking on new patients and obviously all the practices will now be doing something with existing patients. I would have thought and certainly that it's way beyond the scope of this Q and A to advise practices on their entire privacy policy and GDPR compliance and getting consent, etcetera, but certainly, that should be built in holistically into the practice and not just thinking about writing medical notes.

Now, if you're doing that as a freelancer in some way and you are not an employee of that practice, and then again that's dealt with upfront. They should be getting you to find the processor agreement and your cupboard that way, okay. Remember, processors don't need to get your own consent, okay. You're relying on the lawful ground of processing of the controller, okay. Rich says, "Very useful Q and As, thank you for this session." Thank you, Rich, thank you so much for saying that, that's very kind of you." Surely, the danger post-Brexit is that UK businesses might have to join the privacy shield to process data." No, I don't think so.

I think we'll have an adequacy finding or ... Now I did read something about this recently and someone said something else and I thought oh that's an interesting point, but I can't for the life of me remember. No, I don't think that, so we're not going to have to do something similar. I'm sure they'll be an adequacy finding because effectively we have the same law as Europe. Wendy says, "Thank you for this, please advise." Nope, can't advise, just guidance and education and then you do what you want with that. "I've sent out two newsletters from MailChimp now for GDPR asking people to update details. My website guys say is that those who haven't opted in by the 25th have to be deleted. Is this true?

For a lot of these people, I have consent on paper dated and signed from those I've been in physical contact within the last few months." Okay, Wendy, we've discussed this many, many, many, many, many, many, many, many, many, many, many, many, many times in the group. I know that's not helpful for new members and so if you're a new member, then I understand your question. The best thing to do is, go and have a look at the re-consent note in the file section of my Facebook group and that will talk you through that.

Yes if you've worked out that you need to get people to re-opt-in and they don't by Friday, then you can't then email them after Friday because effectively you've not got your GDPR standard of consent and if that's the ground that you're relying on, then you have to stop emailing them. Doesn't mean you have to delete them necessarily. you can keep them on a suppression list if you have other reasons to process that data. Annie says, "It's number one Port Hill is her B and B." and I can really recommend that, awesome place. Okay. Jonathan Graves send small charities sending newsletters.

The ICO direct marketing guidelines say is a soft opt-in exception only applies to commercial marketing, not for profit organizations will not be able to send campaigning tags or emails without specific consent, even to existing supporters. As a charity, should we, therefore, forget legitimate interests and just re consent everyone?" Yes. Yes, if you can't... Well, it depends who you're emailing and because remember that PECR only applies to individuals which include sole traders and partnerships. Presumably, you would be able to email corporates, so look through your list and see if you can segment that way. Yes if the soft opt-in doesn't apply, then for PECR purposes, you would need consent for marketing emails.

Yes, so even if you decided it was deep under legitimate interests under GDPR, then you would still need consent under PECR, but as I say maybe you can segment list and carpet out so that you've got individuals on the one hand and corporates on the other. Bridget says, "I write features interviewing people in business or who've just bought a new home. How long can I keep my notes for?" Okay, you can keep them as long as you need them Bridget, so there are no 20 million permutations of how long we can keep specific pieces of data. It's really a principle which is about you keep the data for as long as you need it.

Now needing it could be that you need it for potential legal claims in the future or for insurance details, but if you don't have any need for that data, then yes you should delete it because it's the data minimization principle. Also, I keep copies in my published articles which presumably I can keep indefinitely. Yep, I suspect your published articles aren't necessarily all dealing with this processing of personal data, so it's only where data can identify living individuals. If you have identified people within those... Yes okay, I see what you're saying actually. The published articles are people that you are interviewing so by that token, they are and identified by their name and their business and whatever.

Yes, I mean again how long do you need them, yes I'm sure that absolutely fine. We don't have to go around and start calling all of the articles that we've written. "Can you recommend any encryption for emailing as I use Outlook currently and don't know if this complies or not?" No, I can't. I'm not really a security expert, but there have been lots of discussion in my group about it. If you use the search box and put encryption and email in there, then that should throw up some good threads about that. Alice says, "Thank you so much, you've been incredibly helpful." You're very welcome Alice, thanks for coming on and asking the question.

Karen says, "I run an inventory company and only act on instruction from landlords and agents, so I'm just a data processor. If I have self-employed clerks, are they sub-processors and is there anything I need to send them?" Yes, so there will be sub-processors if they're self-employed if they're processing that personal data under your instruction, and yes you will need to send them the processor terms. It's that contractual chain of protection all the way down the line. You also need to do due diligence on those sub-processors to make sure that they are compliant with GDPR and keeping the data security, etcetera, but yes you'd need to have for all of your sub-processors.

The processor needs to put in place a similar contract that has all of the processor terms in there with the sub-processor. "I'm also confused as to whether I need to register with the ICO as I'm only a processor." As I've said, the ICO registration is changing to a controller charge. I believe it is just for controllers, but presumably Karen you are a data controller in your own right because you have details of your clients and things like that, so I'd be looking at whether you need to register for that controller charge in any event for your own business.

Cliff says, "I run the IT side for an operatic society which is a registered charity. Our ticketing operation is already compliant, well done and we need a privacy policy for our website, but how..." There's one in my pack cliff. If you're a charity, you get my pack 50 pounds. If you email [email protected], they can sort you out with a pack for 50 pounds if you give us your registered charity name and number. "How do we deal with our historic mailing list which was postal based? None of these people consented although they are all or have been supporters." Okay, so postal marketing is slightly different to email marketing and chances are a Cliff that again you need to work this out yourself.

Oh, low-power mode already. You need to work this out yourself but work through your lawful ground of processing and it might be that you can rely on legitimate interest under GDPR for continuing to mail these people. Now as for PECR, that doesn't apply to postal mailings, so you don't need consent for the purposes of PECR. Go and work out, watch the overview video and work out whether you can rely on... I've also done lots of videos on legitimate interest as well, so work out whether you can rely on legitimate interests for that.

Now as a question that you haven't asked but it's related and I have been asked it before is if you've got a postal mailing list, does that mean you have to post out a copy of your privacy policy, your new privacy policy and reminding them of the right to opt out to all of those people. Well in my view, that is an unreasonable ask of a small business, and so I would just pop that on your website. Then on the next mailings that you do, refer to that link on your next mailing that you do. Martin says, "What book do you refer to?" What's that Martin? Are you talking to my audio? I was listening to on my run, Wayne Dyer. Can't remember what it's called, although I mentioned it in the book, I'm not sure. Right.

Ria says, "Hi there." Hello Ria, what a lovely name. "As a PR, I do sometimes handle and process data on behalf of a client. I mean I don't, now, but I could in theory, so something a competition winners address, for example, do I need any forms of agreement for this or can I put my own policies in place, for example?" Hang on a minute, let me process this. Sometimes a processor... Okay, so Ria I think this is what I was saying before. If you're a processor, then you don't need your own privacy policy, for example, or to get consent or whatever in relation to the data that you're processing on somebody's behalf because they've taken care of all that.

What you need to have in place is the processor terms with the data controller, but you do need to think about a privacy policy for your own data that you control which is things like the names and addresses of your clients. "Equally if I'm given access to somebody's mail software to design a newsletter, do I need an agreement for this or can I just set this out in my privacy policy regarding how I would handle this?" Okay, so that's the same point. You need to have those processor terms in place, they're in my pack. You can either use a standalone processor agreement or the rest processor terms that you can incorporate into an existing agreement.

Okay, Jackie. How do you say it? Jackie? "At the moment we don't do email marketing although we will do soon and I intend to use MailChimp. However, we do email our suppliers, distributors, and end-users and often copy those into emails to others. For example, we may copy a distributor into an email to a supplier. Do we have to notify all those people that we may share their data with third parties?" I don't see any reason why you shouldn't and in theory, yes I think you probably should. Yeah just a quick sentence in your privacy notice to say that that's what you do, that should cover you. James says, "Thanks for the info you've given in this group." James, you're very welcome, thank you for acknowledging that, very kind man.

"Personally I found it invaluable ..." Oh, even better, thank you James. Question, "My business has a team of sales representatives who regularly send out prospecting emails to multiple individuals working and operating in the B2B scientific sector." Okay. "These individuals are not existing customers of our business, but their contact details will have been found in the public domain, for example, listed on their company's website. Is this type of communication acceptable under GDPR?" Okay, so the sales reps who are presumably employees send out prospecting emails to multiple individuals working in the B2B sector, and you've got their email addresses from the public domain.

Okay, so the first question is, is it personal data because if you have an email address that is [email protected], so that's a bad example actually. Info[email protected] There's no personal data in that email. "If you had a first name and a surname, could you identify them?" Then yes you could because you'd know what company they work for and unless it's 10 John Smiths working at a certain company, then you could identify them. The First question, is it personal data. If it is personal data, then GDPR applies and for B2B, chances are that legitimate interest will apply as your lawful ground of processing for that.

Then you also need to think about PECR which says that you need to have consent for unsolicited marketing emails to individuals. Now if you're talking B2B purely in the sense of these are big companies that are going to be limited companies or LLCs, then you don't need that consent under PECR, but people who are maybe emailing companies and their smaller companies that might be sole traders or partnerships, then PECR would apply and you would need that consent. James, I think if what the question you're asking is, do you need consent to continue to do that, answer probably not, you can probably rely on legitimate interest under GDPR and PECR wouldn't apply if you're emailing corporate.

Make sure that you are completing the legitimate interest assessment form and keep that on record, and also note that under legitimate interest, the data subject has the right to object to the processing. If that is in relation to direct marketing, then you have to stop that absolutely. There's no question to ask you have to opt them out, so always give people an opt-out even if it's B2B marketing. Tina says, "Thank you for all the incredible help and guidance Suzanne." Thank you, Tina, what a lovely person you are, thank you so much." Jane says, "Example, if Paul makes an appointment for Jane, we take Paul's contact details but Jane's name. If Jane calls to ask about the appointment, can we discuss this with her?

Likewise, if Paul calls to discuss as he booked in the first place, can we discuss it with him?" Yes, okay. Again risk analysis here and Paul's probably Jane's husband, is Paul or Jane ever going to complain, if no, just it's fine. It's not designed to stop us doing business, okay. Kerst, oh lovely name. "Do we really need to send a reconfirm email to our newsletter subscribers if the emails were gathered according to the rules at the time?" Okay, lots of this in the group Kerst and watch the marketing overview, look at the re-consent now in the files, but essentially the thing that's changed for those of you who are new to the group and wonder what all the fuss is.

If you've worked out that consent is your lawful ground of processing for sending marketing emails, then what GDPR has done is that it's increased the standard of consent that we need to get, okay. Under the old rules, pre-ticked boxes were okay to consent, opt-out was okay for consent, okay. If you've got marketing that relies on things like this is not an exhaustive list, but I'm just going to use some examples. Things like you have pre-ticked boxes or you had opt-outs rather than opt-ins, then that is not a GDPR standard of consent, okay. You need to look at that, go through the checklist of what is a GDPR standard of consent and if you haven't got that, then you need to get re-consent to send those marketing emails.

This is if you've decided that consent is your lawful ground of processing, then you would need to do that. Now do look at my note on re-consent because there are also people who are concerned that going back and asking for consent for marketing emails is illegal and will get you fined. That's only if you didn't have consent in the first place at all. Obviously, yeah it's not just randomly start emailing people and saying oh do you want to consent to my emails.

You can't do that, but if you had a consent, it's just that it wasn't to a GDPR standard of consent, then you need to go out and get them to re-consent without a pre-ticked box and with it being an opt-in rather than opt out, and all the other things that we need to do before Friday, or you won't be able to continue to send them marketing emails unless they opt-in to your list some other way, okay. How are we doing on time? Let me just have a quick check, quick time check. Hang on. 12:49. What time did we start? 12 wasn't it? Right. Ten more minutes, hang on. Questions whoever they're gone. Right. Ronnie says, "Do we need to send out a new DPN to all our clients?"

DPN, what's that an acronym for? DPN doing DPA? You won't be sending that to your clients though, well unless you're a processor of course. Yeah, if you're a processor Ronnie and you're saying do you need to send the new DPA to all of your clients, then probably because the GDPR specifies a number of things that you need to include in your processor agreement, although note you can have it as part of an existing agreement. You can amend an existing agreement to put in the new processor terms. Altaf says, "Do we have to send a data processor agreement to my accountant who does my payroll for me?"

Yeah, now this is an interesting one because unfortunately I think the accountants at the moment are still waiting for their regulatory body to give them for some definitive guidance on this, but I think that the stamps that they're taking are, that well they're definitely a data controller in their own right for a lot of your data because they have to act on that independently. Oh, a data protection notice, okay you mean a privacy or privacy notice, yeah. The question was do we need to send a privacy policy to all of our clients, yes. Yeah if you've got a new one, then yes you do either send it with your email getting consent or if you're relying on legitimate interests, and actually so you're just talking about clients here.

Yes, I mean in theory yes, you should send but if it's not on before Friday, it's not the end of the world, if you want to send it in your next client communication and put a little note saying in PS in accordance with GDPR. We've got a new privacy policy, then, I'm sure that's absolutely fine. Yeah, so back to accountants. Are they processors? In my view, they are and we should be sending them processor agreements but I think that accountants will go whatever their regulatory body tells them. Also if there is a reasonable sign of fires of accountants, then they're not going to want to receive in 50, 100, 200, a 1000 however many separate processor agreements, so they will be put in their own processor terms in place.

As of fairly recently, I looked into this, the accountancy governing body had not issued any definitive guidance on it, which is a little bit frustrating for all concerned really. Christy says, "Do I need to inform all old current clients that I hold data for tax, if how long I will keep them on record and point them to my new privacy policy? Thank you fabulous lady." Well, thank you, fabulous lady Christy, for saying that. I think I've just answered that question yes, how long you'll hold their data should be in their privacy policy. If you haven't yet got your new privacy policy, then obviously you can get one of those from my pack that contains all the relevant wording that you need on that type of thing and how long you can keep the data and do you need to send it.

If you're not sending a re-consent email to collect clients, if you're not marketing to them, so you're not selling them a legitimate interest email that says reminding them of their right to opt-out, then what I would personally do with current clients is I would wait until your next communication and then put it as a PS at the bottom because quite frankly everyone's getting sick to the IT at the moment of receiving new privacy policies. Probably better to do it in the next correspondence. Right. A few more questions, then I think that's it for today. I am doing at least two more this week, possibly one on Friday if I can squeeze it in.

Jodie says, "I have a webshop, a bakery. Upon purchase or newsletter signup, can I ask their birthday for promo purposes, e.g. to send them a discounted offer for their birthday? Is this an example of sensitive data?" No, it's not sensitive data. As long as you tell them what you need it for Jodie, you'll be fine. What you can't do is collect a necessary data for the purpose that you've told them about. If you say we'd love to send you a gift or a discount code around about your birthday, put this in here if you'd to receive it, then that's absolutely fine. Carlo says... Oh goodness me this looks complex I've got to read an email.

"The email I received from my email service provider. We are privacy shield certified and when subscribers are coming from the EU, there's an additional step for those subscribers. They're sent to a consent page, dah, dah, if they choose one or both options." Okay, so that sounds Carlo that for people from the EU, they are ... I don't know why they're doing that because if their privacy shield certified, they don't need to have an extra step for anyone from the EU. It sounds they're getting explicit consent to that transfer and their privacy shield certified which they don't need to do, and the fact that they are purposely shield certified means that the data can float freely to them. "Do you need any appropriate safeguards?"

No, if their privacy shields certified, then you can happily transfer the data to them if that's the question. Karen says, "I understood that if my clients are only landlords and letting agents... They get the tenants who I deal with to opt-in. Am I then a controller if I have details of the landlords or agents?" I don't know from that information, Karen. You'd have to tell me what's happening with the data and what you're doing with it. Laura says, "Any idea how to make an agreement between the controller in the US and another department of the same company that is based in a country outside of the EEA."

Yes, it's a bit tricky isn't it Laura because they've come up with this idea that GDPR should apply to people outside of the EEA, but then we don't really have any mechanisms in place at the moment to deal with that, which makes it a bit tricky. What you would probably need to do in time which isn't going to, and I'm guessing that the entity that you're talking about isn't part of the privacy shield. If it is, then you're okay. Oh, I see sorry, you are saying the controller is you, not the US, it's you, and you’re the controller. Oh, I'm not sure now. And the agreement between the controller which is you and you're presumably in the EU and another department of the same company but based in a ... Okay, so there Laura if you've got ... I'm going to sneeze. Hang on one second.

Nope, it's passed. If you're transferring data and between group companies or departments but in different countries, then probably best to be looking at... Oh, she said, “Sorry not US, as in my vets are in the UK and then the finance is in South Africa”. Okay, yeah but it's the same organization in South Africa, right okay. Yeah, so really the way that people deal with that is by putting in place binding corporate rules, so intra-group transfers internationally are best dealt with by binding corporate rules. Problem is, is that they take a very long time to put in place with thee because the regulatory authorities have to approve them, so that does take a while to do.

At the moment, you would probably be looking at explicit consent or well actually you could put in place the standard contractual clauses or explicit consent. Then in time and certainly if you're expanding into other countries, then I would look at binding corporate rules. Right. How are we doing on time? Two minutes. Who's going to get that question... Oh, Martin says, "I was referring to the book you have on your desk on the right." Okay, anyone wants a good bedtime read. This is my GDPR guide, and actually, it's a practitioner's guide but the real bit that is quite handy to refer to. It's got all the regulations, it's got all the articles and the regulations in the back.

It saves me having to look online so this is, and guess what? I'm not sure if I can actually... I can't talk about it yet, but I am in discussions to write a GDPR book that will be a lot simpler, a lot simpler from this one I can tell you that. Hopefully, I'll have more news on that by the end of the week, right. No, Laura, we've answered. Louise, "Do we need to contact all the suppliers we use to inform them of what information we hold about them for trading purposes?" No. No, you don't need to do that. You would send them your privacy policy. Again, you could send them a separate email saying here's on your privacy policy or you could just on the next communication do a little link to your privacy policy on that. Very last question.

Donna is the lucky last question asker here, "With the Facebook business page, is it worthwhile pinning my privacy policy that I have on my website?" No, I think that's going to confuse people. When people are inputting their data into Facebook, it's Facebook's data and they've already got all the consents and everything that they need there. It's when you do something with that data and take it off Facebook that you need to be concerned about it. With the business page, I'm not sure how you would easily extract data from that. Yeah, I'm not sure that you would be able to download any personal data from your Facebook business page, so no I would just keep it on your website.

Okay, so there we have it. Ladies and gentlemen, thanks for joining me. Oh, Martin says, "I'd highly recommend that book." If you got it, Tim Martin, it's not bad, it's not bad. It's more definitely more practitioner based than lawyer based, but that's fine, it does the job. Yes, so I have definitely two more Facebook lives this week, one is tomorrow at... the computer is locked. I can't remember what time, but Veronica posted it in the group. I think then one tomorrow is at 1:00 and the one the next day is. I'll try and squeeze one in on Friday. I'm also interviewing a blogger on Thursday. I'm interviewing a guy who's got a really interesting platform that can help people with GDPR compliance.

I think that's tomorrow, and there is a couple of things that are going on as well, so busy week. Well done to all of you for continuing the efforts to become GDPR compliant. Remember don't panic, Friday is as the ICO say is not the deadline, it's the start, so just take those few simple steps that you need to do by Friday, which really the only essential thing by Friday is if you need re-consent, go out and get that before Friday, although I'm not sure what your opt-in rates are going to be like now. Although saying that, I'm still working out my final strategy for my own data and I'm also holding off publishing my privacy policy until the very last minute. Yes, interesting times isn't it guys? Interesting times.

For those of you who didn't get your questions answered this time, do come on to the Facebook lives that I'm doing tomorrow and the next day, and obviously the earlier you can get your question in, the more chances you have a bit actually being answered. Thanks for all your kind words that you've put about these Facebook Live. I'm really glad that they're helping you and thanks for everybody who's written particularly over the last couple of days and lots of nice things in my Facebook read, but it's just really great to hear that I'm helping you so thanks. If you haven't told all your friends, all your business pals about the group, then let's get them in. We're at 30,000 now.

I think my initial aim which might have been a bit optimistic was 50,000 by Friday. I don't think we're suddenly going to find an extra 20,000 people to come in by Friday, but keep sharing for anyone... I mean, so many people still don't know about it. That's the worrying thing. I think the latest stats was something one in five business owners have never even heard of it and I wouldn't be surprised if it wasn't higher than that. If you're having business conversations and people haven't heard of GDPR or they are talking about it and clearly have no idea what they're talking about, then direct them into my group. For those of you who haven't bought pack yet, thank you very much to all those of you who have.

We're constantly trying to make it better for you and adding more documents in and making it more user-friendly, but if you haven't bought that yet, then go and grab that because I think there isn't this ... I said there isn't this vast data protection police force that is going to walk in on the Friday morning if you haven't done all this stuff, but I think for your own peace of mind, just taking those first few steps would be a really good idea, get a handle on your data inventory, put your privacy policy into place and your cookie policy. I think that will make you feel a lot better about things. Have a great day whatever you're doing, enjoy the sunshine, and I'll catch you tomorrow.