With the updated General Data Protection Regulations (GDPR), have you checked to see whether your mailing list is compliant with the new legislation?
The new rulings cover over 99 different areas, so it could be very easy to not realise you are in breach. They have changed the way companies and public sector organisations handle their customer data. But here are the most difficult rule changes those affecting information retained on current customers, including email lists.
The accountability principle
The new regulations introduce the Accountability Principle concept which requires businesses to give evidence to how they are complying with the principles of the legislation. This principle not only affects the collection of new data, but data already being held.
Article 5 of the legislation requires that all currently held personal data be:
• Collected for a specific purpose and that purpose is made clear to all those whose data you hold.
• Data must not be used for any other purpose than for which you have sought permission.
• You should only hold as much data as you need to complete the task for which you are holding the data. (Any other data should be deleted.)
• All data must be accurate and kept up to date at all times. Inaccuracies must be rectified immediately and any rectifications shared with third parties to whom you have sold the data.
• You should only keep data for as long as is necessary to complete the task for which you have sought permission.
• Data should be securely stored and protected against unauthorised access.
What you need to do to make sure you are compliant?
Make sure you have clear consent from existing customers to use their data for the purposes you have described. Note: pre-filling a form or check box with automatic consent is not considered clear consent.
If you cannot show you have received clear consent from the customer you must obtain their permission again or conduct a legitimate interest assessment (LIA) for each form of processing (i.e. marketing) you conduct for these people. Note: only send consent request emails to customers who have already agreed to receive information from you. Trying to achieve consent from customers who have already asked not to receive information from you is in breach of current data protection legislation.
Implement an information governance framework which records the changes made to customer data. You must keep a record of individual customer permissions so that you can prove you have permission to send marketing material to them.
Delete all information which is not required for the purposes of the permission you have received e.g. you do not need to know someone’s date of birth to send an email newsletter unless it contains information which is unsuitable for minors.