“I need help with GDPR. I’m not sure what I need to do to make sure we comply.”

Cybertill’s retail consultants hear that phrase often.

Over the past few weeks I’ve been inundated with emails pleading anything from ‘we’d love to stay in touch with you’ and ‘please don’t go’ to the less emotive ‘GDPR update.’ Ok, so that last one was actually a B2B e-mail, but the message is still the same. Businesses are panicking over who they can or can’t contact because there are still so many unknown areas. Could this be why only 40% of businesses worldwide are prepared for the change in law?

According to research, a massive 60% of organisations are at risk of missing the GDPR deadline… just to remind you, it’s almost a week away…

One of the most common queries we face is, “so, I’ve sent out numerous emails to my contacts asking to opt-in or opt-out, but we’ve had no responses, what do I do?” Hmmm tricky. Some e-mails I’ve received ask me to ‘click here to opt-in’, others ask ‘click here to opt-out’; whilst some assume that if they don’t hear from you, you automatically opt-in, or vice versa. The answer to the question is purely based on the content of the emails, but never assume in B2C communications that because someone hasn’t responded that it’s ok to keep contacting them! It’s not worth the fine.

Another common question posed to us is, “someone asked to be removed from our database, what should I do?” GDPR is all about protecting an individual’s rights and personal data. If someone wishes for their personal information to be ‘forgotten’, then no matter how disheartening it might be, it’s a must.

Who has the right to be ‘forgotten’?

According to the ICO, as it stands, someone has the right to request the removal of their personal information from your database if any of the following applies:

  • The contact’s personal data is no longer necessary for the purpose which you originally collected or processed it for
  • You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
  • You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • You are processing the personal data for direct marketing purposes and the individual objects to that processing
  • You have processed the personal data unlawfully
  • You must do it to comply with a legal obligation
  • You have processed the personal data to offer information society services to a child

All makes sense, right? Maybe. This is something that isn’t so clear cut, especially for Charity retailers who have to consider Gift Aid. Legally, charities must keep personal data in order to submit Gift Aid claims to HMRC.

When does the right to erasure not apply?

The only way you can keep a contacts personal data legally is if any of the following applies:

  • To exercise the right of freedom of expression and information
  • To comply with a legal obligation
  • For the performance of a task carried out in the public interest or in the exercise of official authority
  • For archiving purposes in the public interest, scientific research historical research or statistical Purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • For the establishment, exercise or defence of legal claims

This would suggest that a person’s right to have their personal data removed does not apply if a charity needs to comply with a legal obligation, such as Gift Aid claims. Keeping Gift Aid records are so important to charities as it gives them the opportunity to increase their funds by up to 25% – something which is well worth the ‘opt-in’ for.

The important bit…

I can only stress though that this is my professional opinion as a marketer from reading the GDPR law and how it affects the retail and charity retail industries. If anyone is still unclear about the legislation, then we urge you to seek legal advice.

A great starting place for any queries on GDPR is the ICO website: https://ico.org.uk  I have found it an immense help!

logos

Copyright Cybertill Ltd and Cybertill Inc. All Rights Reserved. UK Company Registration Number: 4007218