Concrete tips from Paloma about GDPR
Don’t panic about GDPR. You can safely keep communicating with your customers and store personal data if you follow our simple tips.
- Take it easy, don’t believe all crazy interpretations and intimidation tactics.
- Keep in mind that you don’t own your customers’ data. You are borrowing it.
- Think about what data you collect and save and why you do it. We recommend that you collect as little information as possible about the person.
- Ask yourself why you collect the data.
- When do you remove the data?
- Who has access to it?
- Do we share it with any third parties?
- Make sure that you delete any old and irrelevant data that you don’t use any more.
- Draw up a document about where and how you store personal data.
- Do not buy or exchange addresses with partners either. At Paloma, this has been prohibited for a long time.
- Do you have foreign suppliers and/or are your customers’ data held in a third country? Ensure that your supplier has a Private Shield contract. If not, change supplier immediately!
- As a general rule, you should always seek consent, even if you don't need it. This improves the quality of your communication.
- Create consent procedures and ensure that you also obtain consent for older personal data, so that you from herein on have obtained consent for both old and new personal data if you don’t have a legitimate interest.
- Remember that consent only applies to the actual area for which you have obtained consent.
- You don’t need consent to continue communicating with existing customers and stakeholders. It is sufficient to refer to legitimate interest and GDPR. It is, however, important to remember that the customer must be able to contact you at any time to opt out of further communication.
- For those who send newsletters B2B: Our interpretation is that there will be no change when GDPR enters into force. Swedma’s recommendations continue to apply for the time being. See the lawyer’s comment below.
- Your customer has the right to request a copy of all data that you hold about him/her. The customer also has the right to be forgotten, i.e. to be removed completely from your records.
- Legitimate interest/ balance of interest applies when the individual has not explicitly given his/her consent. The company can carry out an assessment of whether the interest for them as a business outweighs the individual’s right to data protection. But in such cases, the customer also has the right to have his/her data removed, and that always carries more weight.
- Do you need to update user terms and conditions, which the customer then has to actively accept? The Swedish Data Protection Authority states that no new consent is needed ‘if the previously obtained consent meets the requirements set out by the Data Protection Regulation.’
- Identify your primary risk areas:
- Do we manage sensitive data? Such as illnesses or political affiliation. And what do our procedures and processes for this look like? What is our level of security?
- Create procedures and policies for how unstructured personal data should be handled and how to ensure compliance with the rights of the data subjects.
- Unstructured form: Personal data on employees’ computers, on leisure time images, in e-mails, in Excel or Word files, i.e. anything that may be attributed to a specific person.
- How do we manage incidents? I.e. the risk of personal data falling into the wrong hands.
- Do I as a customer have the right to know what my personal data is used for? Yes, and this already applies, but now your obligation will increase to cover the individual’s right to and control of his/her own personal data.
- Which personal data do I as an individual have the right to request? Data that you have provided, for example e-mail address, user name and age, but also location information and search history. You are not, however, entitled to the data about you that the company has created, such as health status and credit rating.
- You don 't need consent from new customers to communicate with them, as long as the communication relates to the product or service that the customer has purchased. Remember to have terms of purchase in place so that you can refer to them!
- View consent as something positive. It deepens your relationship with the customer, as he/she actively approves their communication with you.
- Data portability means that the individual has the right to have his/her data in a sensible format to be able to use it for another service.
Want to know more?
Last but not least... Especially if you work with newsletters. The lawyer writes the following about legitimate interest:
‘There is the possibility, primarily in B2B relationships, to use the legal basis ‘legitimate interest’ in e-mail marketing. The Swedish Data Protection Authority has previously approved the trade organisation SWEDMA’s guidelines of what constitutes legitimate interest. However, please keep in mind that the guidelines may be updated after the introduction of GDPR in May.
As a general rule, these guidelines prohibit the collection of e-mail addresses in B2C relationships without consent. Exceptions are made for so-called ‘soft opt ins’, where collection and mailing may be carried out in connection with sales negotiations under certain conditions. In B2B relationships, the assessment is much more discretionary. As a general rule, it is legitimate to collect and send marketing material via e-mail with the objective to reach people in one’s professional role. There are, however, limitations concerning, among others, sole proprietors that are important to be aware of.’
Swedma is the industry and trade organisation for the companies and organisations that operate within the context of direct and data-driven marketing.
If you are concerned about how GDPR will affect your company, remember that common sense and orderliness go a long way. Feel free to read the articles here on Paloma’s GDPR blog and note that Swedma’s guidelines apply for the time being. At Paloma, we have the tools to support your work to fully comply with GDPR.