It’s a simple thing; I was given a card at a restaurant and asked to provide feedback along with some innocent details about myself. However, when I looked at it with my ‘GDPR Practitioner’ head screwed on, I started to ask myself how many businesses and organisations collecting personal data like this are going to be compliant with the new EU GDPR.
Think about the number of places you are asked for your personal details. It probably happens far more than you notice. It might only be your first and last name, or maybe, as in this case, your email on a feedback form. Another occasion is when you sign in at a company’s reception as a visitor. You’re asked for your name, your company, your car registration, and your signature might also be collected to confirm your understanding of their safety policy.
The feedback card mentioned in the first instance, I think, is going to cause a significant problem for restaurants asking for personal data. It’s probable that such businesses genuinely want feedback, but they may also wish to capture data for use in marketing.
The six Data Protection Principles of the new EU GDPR are that data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
Principles 1, 2, 3 and 6 are of concern in relation to the feedback card, so let’s look at that example in more detail:
The restaurant may feel it has a corporate and fair interest in gathering your data. However, is this a lawful enough reason? Are they being clear and transparent, informing you of the explicit purpose of collection, or is your data being used towards marketing purposes? (Principles 1 and 2)
They could get your feedback, if that’s what they truly want, just by asking for it without personal data. Therefore, the data request goes beyond that which is adequate to get feedback. (Principle 3)
What will they do with details like your name and email address? Where will they store them? How will they ensure that they are kept secure? (Principle 6)
Article 13 of GDPR places an obligation on any company or organisation collecting data at source to provide a clear, explicit privacy statement, and to gain ‘explicit’ consent. Do your feedback forms requesting personal details account for this? If not, they will need to.
Okay, so what about the sort of signing-in sheets found in receptions?
If a given company or organisation has a clear statement saying that data collected is required to know who is on their premises at any one time, and in the ‘vital’ interest of their safety, then this may be enough to be complaint with EU GDPR.
However, the following needs to be considered and documented: what happens with the completed sheets, where they are stored, and how long they will be kept for. (Principle 5 and 6)
You get my drift? I hope so.
ALL companies and organisations MUST be compliant with EU GDPR by 25 May 2018, along with the new Data Protection Bill going through Parliament now.
So, what can you do about it?
You will need about 100 days to complete a process of reviewing existing policies, procedures, data flow, data asset registers, etc. If necessary, you will then need to start redesigning your data protection policies and processes, as well as reimplement them.
So, are you underway on this? If not, it’s time to get busy.
If you are unsure where to start, you are welcome to contact us for a chat, and we’ll be happy to give you give some pointers. If you have a problem but don’t have the time or people to resolve it, we can help there too.
The GPP-Digi Ltd provides cloud-based Digital Data Protection and EU GDPR Implementation and Management Solutions. The Gill Payne Partnership Ltd provide consultative services along with different levels of EU GDPR and Data Protection training programmes internationally. Contact us or phone 0044 (0)1469 533907.