(GDPR 2018) – IMPORTANT: The following is not legal advice and should not be used as such.
Recently, we’ve had a lot of our customers contact us in regards to the GDPR (General Data Protection Regulations), and how it can affect them as data controllers. It’s important to note that the GDPR is more of an improvement on the Data Protection Act (DPA) rather than PECR (Privacy and Electronic Communications Regulations).
The GDPR is not quite as stringent as many fear, but it does affect marketing in three critical areas.
The first is regarding opt-ins, opt-outs, and consent regarding communications. The GDPR mandates that consent must be ‘freely given, specific, informed, and unambiguous’, and articulated by a ‘clear affirmative action’. That means you can’t assume consent based on ‘inactivity’ (ie. the customer hasn’t opted out, so they must be ok to call), and that a pre-ticked box on a webform is not ok… they must instead tick the box. Prospects and customers must agree that their data can be used and that they can be contacted. Similar to current PECR regulations, “By ticking this box, you agree to be contacted by COMPANY NAME by telephone, email or mail”, although ideally should go deeper and ask which method they’d prefer. It’s primarily about opt-ins.
The second is the much-discussed right to be forgotten. The GDPR is designed to confer more control to individuals over how their data is collected and used – and this means giving them some means of accessing and removing their data. They can do this when there’s no legitimate reason to process their information, when they withdraw consent for it to be used on the original terms, and when it’s been unlawfully processed.
You have to be able to justify the need for the data you hold.
The third change is to the legal basis for processing personal data. Practically speaking, this will necessitate better housekeeping on the parts of marketers – and less collecting data for unnecessary, or frivolous reasons. So, if your business is selling windows for example, you cannot ask when their home insurance is due for renewal as this is a totally separate and unrelated product, and you most definitely cannot sell this data on without explicit consent and new opt in from the client. The current Data Protection Act asks if you need that information. Essentially, if you’re running a call centre, it may be useful to have the name of someone, but why do you need their date of birth?
Blue Telecoms and GDPR
By using Blue Telecoms’ hosted dialler or phone system, you’re already most of the way there with GDPR.
As usual, we have strict data protection guidelines in place, including secure audited access to your servers, whitelisting and credential management. A current copy of our Security and Data Security policy is available, dated March 2016. This covers how the servers are kept secure.
Furthermore, our free live TPS (Telephone Preference Service) checking service is also vitally important to make sure that your efforts not to nuisance call registered users is up to date.
If you do receive any requests to remove data, or if you would like to delete data that you do not need to hold (eg. date of birth), you can put a request in via ticket for us to securely delete just that specific data. Once deleted, it will not be accessible by anyone, and will be permenantly erased.
For more information please visit: https://ico.org.uk/for-organisations/