Will my business be in breach of the GDPR?
We’ve put together a series of ‘what if’ scenarios to help you understand if you’re operating in breach of GDPR. Click on the dropdown to reveal more.
What if I only collect customer email addresses?
They can be used to identify them, so the GDPR applies. If you market your business by email, you must comply with GDPR requirements. When collecting customer email addresses, not only will you need their consent, but you’ll also need to explain how the data will be used. You cannot have a ‘pre-ticked’ opt-in box on your website or use email to promote products/services beyond the reason the customer initially gave their consent.
What if someone else processes the data my business collects?
As the data controller, under the GDPR, you must ensure that your contracts with processors comply with the GDPR, whether they’re based in the EU or not. The GDPR also applies to cloud-based data storage systems if the controller, processor or data subjects are EU-based. In any case, as an EU-based business, if you collect personal data, the GDPR applies.
What if I want to continue sending marketing materials to people on our existing marketing database?
You’re unlikely to have to refresh existing consents if they meet DPA requirements. To be sure, check how consent was obtained. If consents do not meet the GDPR standard, you’ll need to seek new ones that are. Consent should be freely given, specific, informed and unambiguous.
What if a customer asks me what data I hold about them?
Under the GDPR, a customer has the right to know what information you hold about them and how it’s processed. They can ask you to correct it if it’s inaccurate. And they can ask you to delete it if is no longer required for the purpose for which consent was given.
What if I only store personal data in a manual filing system?
The GDPR applies to automated personal data and manual filing systems where “personal data is accessible according to specific criteria”. According to the ICO: “This could include chronologically ordered sets of manual records containing personal data”. So, the GDPR can apply, even if you only store customer addresses in a paper-based filing system.
What about customer personal data I collected years ago?
If you used an online campaign to request email addresses for those wanting to receive your newsletter, but no longer use them for this purpose, delete them. If someone hacked into your system and used the data for ‘phishing’ [ie fraudulent emails that seek to get people to revel their passwords or credit card details], you could be severely fined.