{"id":114214,"date":"2018-04-18T11:00:44","date_gmt":"2018-04-18T11:00:44","guid":{"rendered":"https:\/\/www.vuelio.com\/uk\/?p=114214"},"modified":"2019-07-12T11:30:23","modified_gmt":"2019-07-12T10:30:23","slug":"the-gdpr-your-questions-answered-part-1","status":"publish","type":"post","link":"https:\/\/www.vuelio.com\/uk\/blog\/the-gdpr-your-questions-answered-part-1\/","title":{"rendered":"The GDPR: Your questions answered, Part 1"},"content":{"rendered":"<p><strong>Vuelio was thrilled to be joined by Rowenna Fielding, senior data protection lead at the data protection consultancy <a href=\"https:\/\/protecture.org.uk\/\" target=\"_blank\" rel=\"noopener\">Protecture<\/a>, for our recent webinar: GDPR for Comms \u2013 Expert Advice to Get It Right. Unsurprisingly, we had dozens of questions to get through and couldn\u2019t manage to answer them all on the webinar itself.<\/strong><\/p>\n<p>We split these questions into two parts: general questions about the GDPR and those specifically about using Vuelio in relation to the GDPR. Rowenna has very kindly answered the general questions below, the second part focusing on Vuelio is available <a href=\"https:\/\/www.vuelio.com\/uk\/blog\/the-gdpr-your-questions-answered-part-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p><span style=\"font-size: 20px;\"><strong>How active does consent have to be? For example, if someone was to add their email to a list knowing they will be updated with an email (&#8220;Add your email to stay updated&#8221;) would they still need to opt in?<br \/>\n<\/strong><\/span>Adding their name to the list would be the opt-in in that case. However, if you collected the email for another purpose (such as sending a meeting invitation) then you\u2019d need to get consent separately for marketing. \u2018Bundling\u2019 consent (eg, \u2018by consenting to x, you also consent to y\u2019) is not allowed as it is not specific and unambiguous. Similarly, inferring consent (eg \u2018by visiting this website you consent to your data being processed\u2019) is also not valid, as consent it is not specific, unambiguous or freely-given. The outcomes you\u2019re looking for are:<\/p>\n<ul>\n<li>The person giving consent should never be surprised to find that they\u2019ve agreed to something<\/li>\n<li>The person should never be surprised to realise what they have agreed to<\/li>\n<li>You can show some evidence that they took some positive action to agree to a specific type of processing of their own free will, having been given enough information to make an informed choice<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<p><span style=\"font-size: 20px;\"><strong>If we remove all information about someone from our database (based on their right to be forgotten and removed), can we store any information on them in order to ensure they are not added back (e.g email in a blacklist)?<br \/>\n<\/strong><\/span>Chances are that although they have asked to be forgotten, what they really wanted was to object to your processing \u2013 not quite the same thing. If the outcome they are seeking is not to hear from you any more, then you must keep their info for suppression purposes. I advise explaining to them that you need to keep the info to prevent future comms being sent to them but that you won\u2019t use the data in any other way. However, if they insist on erasure then you\u2019d need to look at the legal basis for processing to determine whether that right even applies. Someone who has asked to be erased shouldn\u2019t turn up on the database again unless they explicitly opt-in anyway, unless you\u2019re buying in email contact lists which is a very risky practice, compliance-wise.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">If we email our contacts asking for their consent, can we still keep sending them stuff if they don&#8217;t reply at all?<\/span><br \/>\n<\/strong>If you don\u2019t already have their consent (or soft opt-in) for email marketing, then it is unlawful to email them to ask for it. If you ask and don\u2019t get an answer, that\u2019s the same as a \u2018no\u2019 \u2013 only a positive action to indicate agreement can be consent. If you carry on emailing them without consent, you run a much greater risk that complaints will result and trigger an ICO investigation.<\/p>\n<p><a href=\"https:\/\/www.vuelio.com\/uk\/resources\/white-papers\/what-you-need-to-know-about-gdpr-white-paper\/\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-112561\" src=\"https:\/\/www.vuelio.com\/uk\/wp-content\/uploads\/2018\/02\/What-you-need-to-know-about-GDPR.jpg\" alt=\"GDPR\" width=\"760\" height=\"430\" srcset=\"https:\/\/www.vuelio.com\/uk\/wp-content\/uploads\/2018\/02\/What-you-need-to-know-about-GDPR.jpg 760w, https:\/\/www.vuelio.com\/uk\/wp-content\/uploads\/2018\/02\/What-you-need-to-know-about-GDPR-300x170.jpg 300w, https:\/\/www.vuelio.com\/uk\/wp-content\/uploads\/2018\/02\/What-you-need-to-know-about-GDPR-705x399.jpg 705w, https:\/\/www.vuelio.com\/uk\/wp-content\/uploads\/2018\/02\/What-you-need-to-know-about-GDPR-450x255.jpg 450w, https:\/\/www.vuelio.com\/uk\/wp-content\/uploads\/2018\/02\/What-you-need-to-know-about-GDPR-500x283.jpg 500w\" sizes=\"(max-width: 760px) 100vw, 760px\" \/><\/a><\/p>\n<p><strong><span style=\"font-size: 20px;\">If a client asks for our media list with journalists on, would we need to tell each we are passing the information on?<\/span><br \/>\n<\/strong>Depends on where the information came from, how, what you\u2019ve already told the journalist about how you\u2019ll use their information, whether the information could be obtained anyway from public sources, what the client is going to do with the information&#8230; If handing out the journos\u2019 contact info is something you do often then that\u2019s the sort of thing you do need to put into a privacy notice and call the journalists\u2019 attention to.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">Would a footer on your email sign off stating that you hold data be sufficiently clear?<\/span><br \/>\n<\/strong>It\u2019s one way to communicate privacy info, but since no one actually reads email footers, you might have a difficult time demonstrating that it is an effective approach. Linking to more detailed privacy info in an email footer certainly doesn\u2019t hurt and gives wider exposure but if it is a standard footer then the information given would either need to be large in volume, or so generic that it doesn\u2019t actually meet the GDPR Article 13 and 14 requirements.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">Are opt-in checkboxes on landing pages and websites enough for compliance for digital marketing campaigns (i.e. downloads, subscriptions)?<\/span><br \/>\n<\/strong>Opt-in mechanisms are one aspect, suitable privacy information, unsubscribe links in each message, an accurate up-to-date suppression list and audit trails of consent given are all required. Then, the personal data has to be processed in compliance with all of the principles.<\/p>\n<p>NB: Yes\/No sliders or radio buttons are better than tick boxes, as tick boxes create ambiguity about intention where someone who has previously ticked fails to do so a second time.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">What are the rules within the historical archiving? When do exemptions apply?<\/span><br \/>\n<\/strong>If the processing is <em>necessary<\/em> for historical archiving, then that\u2019s an acceptable legal basis (ie no consent needed, some rights including erasure and subject access are limited, no need to go back and tell data subjects that\u2019s what you\u2019re going to do), but a risk assessment of the potential impacts to the data subjects\u2019 rights and freedoms is required and steps need to be taken to manage those risks. Depending on the processing and the types of data involved, this could vary from not publishing the data for at least 100 years, to redacting names or other identifiers, to only using aggregated statistical information (those are just hypothetical examples, not a checklist!).<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">How long are we able to keep records for?<\/span><br \/>\n<\/strong>It depends on the purpose of the record-keeping, any legal obligations for record-keeping, business\/operational needs for the data to be preserved and a balance against rights and freedoms of the data subjects. That one is impossible to answer generically, it needs digging into \u2018what records and why would you want to keep them\u2019?<\/p>\n<p>GDPR says you can keep them as long as you need them but it\u2019s up to you to justify how long that is and you have to be able to prove that you really need them, and you\u2019re not just keeping them hanging around in case they turn out to be useful later.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 20px;\"><strong>If we have thousands of emails going back to 2005 from pr<\/strong><strong>ess and clients, do we have to delete them all? The problem is we have sometimes had to refer back to some of them so to delete them all would clear all records of any agreement?<br \/>\n<\/strong><\/span>You need to review them to determine which to keep and which to delete \u2013 that will depend on the purpose of processing the personal data in the first place, and the legal basis. You could just delete them all \u2013 that would be much easier than going through them! However, you can\u2019t just keep them all either in case there is useful info tucked in there. You need to define what you want to keep and why (such as, records of transactions, agreements, complaints) and get rid of anything that doesn\u2019t fall into that critieria.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><span style=\"font-size: 20px;\"><strong>If you gather emails through a third-party email platform, is there anything additional you need to do?<br \/>\n<\/strong><\/span>If the third-party is just a Processor then you need to have done some diligence on their data protection compliance, you need contract clauses addressing data protection to be in place and you should be doing some kind of checking or monitoring that they are doing the things you\u2019ve told them to (and not doing anything you haven\u2019t told them to).<\/p>\n<p>Some US-based services are problematic because they are not just Data Processors. They use the personal data that travels across their services for their own commercial purposes, such as profiling for targeted advertising, selling insights or access to data for marketing purposes to other parties, and sending their own marketing comms. You need to read the Ts&amp;Cs and privacy info very carefully \u2013 in general, it\u2019s lower-risk to use an EU-based provider, for reputational protection if nothing else.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">We use an American email service, will it be contravening GDPR because the data goes via a server in the US?<\/span><br \/>\n<\/strong>It\u2019s not the US transfer that\u2019s the problem., it\u2019s the processing that the platform may do as a Data Controller (profiling, marketing, cross-customer data-matching, augmenting data from third party sources) which you could be exposing your subscribers to without an appropriate legal basis or transparency info.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">What is the best way to get informed consent when people are signing up (e.g. to a mailing list) using a paper form? Is it necessary to show them a printed copy of your entire privacy notice?<\/span><br \/>\n<\/strong>There\u2019s no \u2018best\u2019 way, really. The only privacy info they need to be given at the time of consenting is the stuff that\u2019s relevant to what they are consenting to. So, if you are asking for consent to send email marketing, you\u2019d need to tell them about any embedded tracking, data augmentation using third party sources, and what sort of content they can expect to receive (the purpose of the processing). If your privacy notice is one huge document that tries to cover everything, then you\u2019re doing it wrong! You also don\u2019t have to supply the information in hard copy. See the <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/privacy-notices-transparency-and-control\/\" target=\"_blank\" rel=\"noopener\">ICO\u2019s Privacy Notice Code of Practice<\/a> for more detailed guidance.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 20px;\"><strong>What consent is required for taking a photo for a new<\/strong><strong>s release or social media feed and then storing it and reusing in a publication? Must they tick every box, for example: &#8216;you can use my photo on: website, social media, corporate publications etc. Or can it be a catch all paragraph giving permission to store and use on any comms channel and just give examples within that paragraph?<br \/>\n<\/strong><\/span>It depends on the purpose that the photo will be used for. Journalistic (ie informing the public rather than marketing) uses have a large exemption so consent would not be needed (although a model release for image copyright purposes may be advisable \u2013 but that\u2019s a totally different thing for a different law). Consent must be specific to the purpose and the types of processing associated with that purpose \u2013 so just listing channels wouldn\u2019t be suitable unless the photo would be used on all of those channels for exactly the same purpose. Catch-all\/blanket consent for any possible future use is never valid. In every case, you need to look at the purposes of taking and using the pictures, determine the legal basis for that, provide suitable privacy info, inform people of their rights, have processes in place for objections (where those apply) and good record management to support subject access or erasure requests later.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">What words would we need in a contract in terms of providing a service to clients?<\/span><br \/>\n<\/strong>Depends on the service you\u2019re providing! Impossible to answer that without more info; that\u2019s the sort of advice you\u2019d need to hire a data consultancy for.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"font-size: 20px;\">What is changing with the GDPR in Open Source Communities that use &#8216;Open access&#8217; Database?<\/span><br \/>\n<\/strong>The GDPR doesn\u2019t change much in principles and obligations, so if everyone using that resource is doing so in compliance with the Data Protection Act 1998 then all they need to do is some additional record-keeping and a review of any consent that may be needed. However, if data protection has not been designed into the structure and uses of the database, then there may be a lot of work to do. That one\u2019s impossible to answer without much more specific information on who the Data Controllers are and the purposes of processing!<\/p>\n<p>&nbsp;<\/p>\n<p><strong>If you&#8217;d like to make sure your comms is compliant with the GDPR\u00a0in time for 25 May, then <a href=\"https:\/\/www.vuelio.com\/uk\/#demo\" target=\"_blank\" rel=\"noopener\">get in touch<\/a> and we\u00a0will help you out.\u00a0<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vuelio was thrilled to be joined by Rowenna Fielding, senior data protection lead at the data protection consultancy Protecture, for our recent webinar: GDPR for Comms \u2013 Expert Advice to Get It Right. Unsurprisingly, we had dozens of questions to get through and couldn\u2019t manage to answer them all on the webinar itself.<\/p>\n","protected":false},"author":423,"featured_media":114224,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[7365,7372,7272,7238],"tags":[],"_links":{"self":[{"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/posts\/114214"}],"collection":[{"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/users\/423"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/comments?post=114214"}],"version-history":[{"count":5,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/posts\/114214\/revisions"}],"predecessor-version":[{"id":123508,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/posts\/114214\/revisions\/123508"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/media\/114224"}],"wp:attachment":[{"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/media?parent=114214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/categories?post=114214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vuelio.com\/uk\/wp-json\/wp\/v2\/tags?post=114214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}