FAQs

/FAQs
FAQs2018-08-07T15:02:50+00:00

x

Frequently Asked Questions

Will I need to have all new service agreements and contracts with my clients, suppliers and trading partners?2018-08-06T15:45:03+00:00

That depends, on whether your current T&Cs or service agreement clauses will stack up to GDPR requirements:

  • Due diligence must be carried out for all data sharing relationships (controller, processor, security etc).
When is a Data Protection Officer (DPO) required under GDPR?2018-08-06T15:52:19+00:00

A DPO is mandatory under the GDPR for 1) public bodies, 2) where large-scale monitoring/processing of personal data occurs, or 3) where processing of special category data occurs.  Even if a DPO isn’t mandated any business can still choose to appoint one as best practice.

What does ‘soft opt-in’ mean?2018-08-06T15:56:46+00:00

Any material we send to our historic customers is always related to their initial enquiry in some way. Does this mean we can use the soft opt-in process to continue marketing to past clients without consent?

You can only send unsolicited electronic marketing to someone if you have their consent to do so. Exceptions:

Where their details were gained as part of a sale; and

Where the messages you send are marketing similar products or services; and

Where you can prove the customer actively opted in to marketing when their details were first collected, and

All subsequent messages clearly offered opt-out or unsubscribe options.

Self-service Systems: Do these need auditing?2018-08-06T15:53:09+00:00

For customer and employee self-service systems portals (e.g. for creating your own shopper account, or for HRiS and benefits platforms) it’s a always good idea to run regular data cleansing to flush out old/inactive accounts.

Is a Privacy Notice the same thing as a Data Protection Policy?2018-08-06T15:51:00+00:00

If you wish – these can be subheadings within a privacy notice, depending on how complex the business operations and personal data processing are, or how large and structured the business is.  Remember they need to contain succinct detail and not be full of legalese.

I’m an independent consultant with a range of clients. I know a bit about GDPR – can my clients appoint me as their DPO (Data Protection Officer)?2018-08-06T15:52:43+00:00

Mandated DPOs can be external as well as internal; however you should ensure you gain expert verified training and certification before advising on any area of legislation. Clients and insurers will likely insist on this.

Does anything need to be added to our client’s employment contracts to the above effect?2018-08-06T15:50:18+00:00

Yes – they’ll need to issue a privacy notice addendum to existing staff contracts, and devise new contracts to incorporate this for new hires moving forward.

Do we need to seek explicit consent for everything?2018-08-06T15:43:41+00:00

Only if consent is the appropriate lawful basis for this processing – businesses need to determine the correct lawful basis from the list of those available for any personal data processing they carry out.

Do I need to publish my own Privacy Notice?2018-08-06T15:45:34+00:00

Yes – any business, no matter the size, needs to publish such a statement if they process personal data, either for themselves or on behalf of another business.

Do I need to delete all my emails?2018-08-06T15:55:01+00:00

Email can be a very insecure, unreliable method of storing data from a cyber security perspective. Data minimisation and limited purpose principles mean you will need to review and delete outdated personal data held in email systems.

Do companies need separate policies to cover topics such as retention, deletion, breach and subject access requests?2018-08-06T15:51:32+00:00

Not necessarily; a privacy notice is a public statement, issued to outline a company’s approach to data privacy compliance, whereas a policy is the background rationale and detail to such.  Small businesses shouldn’t need both.

Do clients need all staff to sign something to say they / we hold employee personal data?2018-08-06T15:49:21+00:00

No – they’ll need to determine what personal data they use, for what purpose, and on what lawful basis; consent is unlikely to be valid, unless they are passing data overseas / outside the EU or EEA unnecessarily.

Can we still hold onto CVs received for vacancies?2018-08-06T15:54:26+00:00

Holding and storing CVs is still processing, and requires a documented lawful basis for doing so, ensuring individual’s rights under the GDPR are upheld:

Transparent, informed and limited purpose, taking all steps to keep it updated and reviewed periodically;

Genuine choice and control, with easy opt-out choices;

If you rely on historical consent, that consent must meet GDPR standards, or you’ll have to refresh it;

Offer unbundled active opt in for different processing operations, and keep these separate to your T&Cs;

Documented information on all opt-in/opt-out records.

Can we send an opt in request email to our entire database for all our different electronic marketing services? Must we offer an opt out on each?2018-08-06T15:57:49+00:00

You’ll need to consider the lawful basis for keeping people’s details on file, in line with GDPR’s requirements:

Transparent, informed and limited purpose, taking all steps to keep it updated and reviewed periodically;

Genuine choice and control, with easy opt-out choices;

If you rely on historical consent, that consent must meet GDPR standards, or you’ll have to refresh it;

Offer unbundled active opt in for different processing operations, and keep these separate to your T&Cs;

Documented information on all opt-in/opt-out records.