General Data Protection Regulation. GDPR. Doom and gloom. Is it “The end of the world as we know it”, “I predict a riot” or in fact “Let’s stay together”?
Having just attended the Chartered Institute of Public Relations Scotland’s very insightful GDPR seminar, I’m feeling a lot more positive about this thorny issue which is likely to be currently preying on the minds of almost everyone in business.
In view of the 25 May deadline looming large later this week and the barrage of misinformation and confusion around GDPR, I thought I would share the key points that I took from this event. The panel very helpfully featured a lawyer who focused on common sense application of the legal changes.
As I am not a lawyer myself, my own observations of this event are not legal advice, but will hopefully be useful nonetheless to those of us currently ploughing through the minefield of GDPR. Everyone reading this is likely to have been on the receiving end of a deluge of opt-in emails over the past few weeks, requesting permission to keep in contact.
If you have already asked people to opt in in the past, sorry to be the bearer of bad news, but you will still need to be able to demonstrate you have this consent going forward. If you are in touch with individuals as consumers, the panel made it clear that different rules apply and the individuals’ consent is in fact required for your organisation to keep in touch with them. It is also important for the organisation to be clear on what sort of consent the individual has given, so replying to a competition with an email address doesn’t give blanket permission to bombard that individual.
As a communications professional I was listening intently for answers to the tricky question of dealing with journalist and media contacts. This issue divided the panel, but it is fair to say that using a paid-for media database doesn’t mean you can avoid being considered a data controller; you and your organisation are probably still likely to be downloading data and using it for your business purposes.
The panel’s advice was to make it clear to event attendees – possibly through signage at the event – that photographs would be taken and images may be used at a later date. A belts-and-braces approach could be to include this information in any pre-event communications with delegates, which could allow people to opt out in advance. As a business owner, I must admit that GDPR does seem a bit like using a sledge hammer to crack a nut. However, the panel emphasised that being able to demonstrate clear records, evidence of a willingness to comply, and having up-to-date systems will stand you in good stead. So maybe not so complicated after all, though time will tell.