A&L Goodbody recently hosted a Workshop in association with Flint Studios to educate local businesses on the steps that must be taken to ensure compliance.
The message of the day was ‘do not panic’ with Mark Thompson and Jonny Hacking from A&L Goodbody discussing what GDPR is; what the changes will be; the key reform themes; and most importantly, what you need to consider.
The following paragraphs summarise some of the key information shared at the workshop.
- Determine what personal data you currently hold and on what basis you process this data
Data subjects can include employees, supplier contacts and customer contacts. This data may be in the form of CVs or application forms; contract of employment; interview records; banking details; behavioural data; payment data, amongst many others. The definition of ‘personal information’ is extremely broad so this audit is crucial to determine exactly what data you receive, retain or discard.
- Establish what data processing you outsource to third parties
Think broadly about outsourced processors such as payroll, pension, telecoms, IT or insurance providers and professional advisors. Consider the use or a potential breach of use of this data, and the implications this could have on your company if non-compliant with the GDPR.
- Look specifically at your marketing communications
Under GDPR, any company must have a lawful basis to conduct direct marketing. However, GDPR recognises that direct marketing will often be a ‘legitimate interest’ of the data controller with legitimate interests being a non-consent ground for data processing. In these cases, the company must offer an opt-out. E-mail and SMS marketing will require opt-in consent as per the Privacy and Electronic Communications Directive.
- Consent for marketing database
In the majority of cases, fresh consent will not be required from your entire database. If consent for data processing was collected pre-GDPR, on the basis that the consent was “unambiguous” and “demonstrable”, you may be able to continue to rely on that consent post-GDPR. However, if previously you sought opt-in consent, you may need to refresh those consents for GDPR compliance.
Whilst this requires time and effort, the risks of non-compliance are much too great to take a chance. The GDPR changes are vast and whilst the volume of data will differ from company to company, we think many companies, particularly SMEs, could be surprised upon discovering how much data they actually hold, and legal advice is recommended.
For more information in relation to the above please contact Mark Thomspon or Jonny Hacking from A&L Goodbody on 028 9031 4466. Alternatively, email [email protected] / [email protected].
*This article is simply some of the information shared at the session but should not be taken in place of legal advice.