Want to know why GDPR is a brilliant thing? Well, we’ve all had our inboxes rammed as of late with huge amounts of brand new privacy policies and email opt-in requests from companies we’ve interacted with, companies we have forgotten we have purchased from and companies we didn’t even know had our email address.
They all mention “GDPR” and for those confused, I thought I’d write this blog to tell you what it’s all about and why GDPR is a brilliant thing.
Why GDPR is a Brilliant Thing…Er…..What’s GDPR?
GDPR, or the General Data Protection Regulation, is a European act that covers many things, but principally, and from our point of view as consumers, it governs how our personal data is used. It is one of the largest and most extensive regulations ever conceived and was released on the 14th April 2016. The act came into effect on the 25th May 2018.
Many people think that the GDPR is all about email opt-ins and companies having to get your permission to email you, and in a small part that is true, but the act has much greater and further reaching consequences than that.
Why GDPR is a Brilliant Thing: Reason 1 – The Amount of Data Stored About Us
The first reason why GDPR is a brilliant thing is that companies, like Gravy For The Brain, and all others must now approach our data with different principles than we used to.
Companies must now look at each individual data type that is being stored, categorise and qualify it, and justify why that data needs to be stored. We can only collect and store data that we justifiably need to run our businesses, and all of that data and the reasons for keeping it must all be documented, (and logged with the data controller that you are under the management of, in the company’s host country, for example, the Information Commissioner’s Office in the UK for GFTB.)
Let me give you an example.
GFTB used to collect your full address as part of our onboarding process. The question that now must be asked is….do we need your full address?
Well, historically, we used to send out membership cards to our members and in that instance, yes we would need your address to be able to post it to. We no longer do this.
What we do want to do however, as we are an international company with students in over 85 countries, is use your country information to segment our emails to you. We want to do this so that we can reduce the amount of email you get from us, and increase its relevance. So if we have a social event in London and you live in Tampa, Florida, you shouldn’t get that email.
We have therefore justified our use for the Country information. But your street address? Well, we don’t need that to run our business or fulfil our service agreement with you – so as of the 25th May, that data will be deleted for everyone.
The principle by which we have to now base our business on is – “Do I as a company need this data? If the answer is no, then we don’t want it!”
This data redaction is a mandatory step for all companies. Those who do not comply with this are potentially liable to some pretty huge fines that everyone in the press has been talking about.
Don’t Some Companies Have to Keep My Data?
Yes. And no. So the GDPR rules state 6 reasons why you might keep data on customers. Two of them are not really relevant to us in general, such as being in the armed forces and so on, so that leaves these 3:
- The customer gives their consent for you to do so.
- You need to keep their data for regulatory/financial reasons, and deleting it would force you to break the law.
- You need their data to be able to fulfil a contract you have with that person.
In all of these cases, only the data that is necessary may be kept and the rest cannot be kept or kept for only a specified duration – detailed in their privacy policy.
Then, in all of these cases, when documenting all the data sets mentioned above, one of these reasons must be given for each data type stored.
Why GDPR is a Brilliant Thing: Reason 2. – Data Storage Duration
Looking at these rules, it stands to reason then, that someone who is on GFTB’s mailing list and not a member would come under reason 1, but someone who is a full member would come (in different parts) under reasons 2 & 3.
So if our mailing list pal does not interact with us or open our emails for a specified time period – we now have to delete their data!
This is a brilliant thing for us as consumers because it means we are not on everyone’s mailing lists forever!
Why GDPR is a Brilliant Thing: Reason 3. – The Right to See Your Data
So how do you know what data is stored in a company about you? Well, now that’s easy to find out.
Free of charge, you can contact any company that holds data about you, and they legally must disclose all of it to you, warts and all. Why? Because it’s your data, not theirs.
At Gravy For The Brain, this is no small feat, especially for our full members. We have data about the courses you’ve taken, data on your Career Planner, your Career Profile Website, your CRM data, data you’ve written in our mentoring forums, info on how many orders you have placed with us and what they were for and so on.
So we have developed a fully automated system to immediately extract all of your data from all of our systems and display them to you. You don’t even need to ask us to do this for you – just log into your account, navigate to My Account and click the button – hey presto! All of your data illustrated in one place, anytime, and it’s always 100% up to date.
For those people who aren’t full members (or indeed past members) and therefore don’t have an account to log into, just contact our support team and we will run the data scanner on your behalf and send you the results.
Why GDPR is a Brilliant Thing: Reason 4. – The Right to Be Forgotten
So…. You now know what data is held about you. Whoop! Whoop!
Now, one of the best things about the GDPR is the right to be forgotten. This means that at any point, you can call up any company and ask to have your data removed. In its entirety!
The only caveat to the deletion of the data is that the company does not have to delete it if it breaks reasons 2 above – you can’t force a company to break the law by having your data deleted.
However! Think about the data you have and the data the company needs to keep. If, for example, you ask for deletion of your account and data at GFTB, we can only retain the financial and regulatory information we require about you – all the other data I mentioned above……must legally be deleted.
In certain cases, your retained data may also be anonymised, so that it cannot be linked back to you in any way.
Why GDPR is a Brilliant Thing: Reason 5. – The Right to Data Correction
At any point, having seen your data, you can request that the company corrects any data that may be incorrect about you. Again – free of charge.
So if you move house – you can change your address!
Why GDPR is a Brilliant Thing: Reason 6. – The Right to Data Redaction
Another great feature – at any point in time you can ask the company to remove any data that they have about you that they have not justified their reasons for storing.
Here’s a great example of that. Does GFTB need to know that you are married, or your relationship status to be able to fulfill our membership offering to you? No! We do not! So we don’t need to store whether you are Mrs., or Miss, or Ms.! You have the right to have this data removed!
This doesn’t just mean the data they hold in the cloud in real time, it also means any backups or archives that are held. Paper copies. Memory sticks. If it’s data – that’s all included.
Remember, this is your data, not the company’s!
Hopefully, by now, you’re starting to agree with me why GDPR is a brilliant thing. As well as being the owner of GFTB, I’m a consumer of many companies too – and this affects me positively just as it does you.
Why GDPR is a Brilliant Thing: Reason 7. – The Right to Opt-Out and Un-Consent!
Most people know that you legally have to be able to opt out of marketing at any point. We have to give you an unsubscribe link on every email we send now (Even though GFTB has done this for years!)
But did you know that under GDPR you now have the right to remove your consent to any of the Privacy Policies and Terms & Conditions you have signed up to in the past? With any company?
Legally we have to make this easy for you – if you would like to do this at GFTB please contact our support team and we will be happy to remove your consent to our Privacy Policy and our Terms and Conditions you may have agreed to.
Why GDPR is a Brilliant Thing: Reason 8. – Data Breaches
Ok, so we can see our data at any time, we can have it redacted, updated, changed, deleted and so on.
But what if your data is stolen from the company? What if there is a data breach?
The press has been hot on the heels of big banks when they have suffered data breaches in recent years, and many millions of users’ personal data has been hacked or stolen, and sometimes even made public on the internet. But up until this point, only those large institutions legally had to declare them.
GDPR thankfully changes all that. Any company now who suffers a data breach must legally inform their responsible managing institution (as mentioned, the ICO in the UK for GFTB) within 72 hours, and provide full details of the breach.
This data breach information is then made public on their website. Fines are high!
Better than that – if the information breached is considered to be critical, for example, credit card information – the company is also obligated to contact each customer immediately.
This legislation forces companies to be pro-active and much more responsible with their data security, their policies and procedures, and their knowledge and principles about how they deal with our data.
Why GDPR is a Brilliant Thing: Reason 9. – Data You May Not Have Thought Of…
Data is data, end of conversation.
But people tend to think, in today’s internet century, that by data we mean electronic data, stored and used online, in the cloud, in websites, in email and so on.
But think about it – there is a lot more data held on us than that.
Let’s consider the One Voice Conference, run by GFTB. If we have paper copies of your subscription to a particular workshop, to be able to ensure that only the right people attend each workshop – that is data!
We are now obliged to protect that data in exactly the same way, to plan and categorise it, log it with the ICO and ensure that the paper copies remain solely with GFTB staff!
Let’s also consider the phones we all carry with us. At GFTB we have access to our work email and our online storage area. If those phones are stolen – that’s a potential data breach! (If you’re interested to know how we deal with this at GFTB, all our information is stored in Google’s G-Suite, and can be remotely wiped from any of our devices should they be stolen).
So we as companies must be much more responsible in how we approach data, how we store it, how we secure it. It’s why we now love the phrase I mentioned at the start of this blog – “If I don’t need that data – I don’t want it!!!”
Why GDPR is a Brilliant Thing: Reason 10. – Annoying Pre-Filled Checkboxes!!
We all know them. We have all been caught out by them. Pre-filled checkboxes to obtain consent are horrible and often very confusing. You know the kind of thing:
“If you would not like to not receive no marketing from us, then do not uncheck the No checkbox unless you would not like us to not email you and never not sell your data to third parties.”
Or even worse:
“By paying for this product you agree to allow us to market to you”….with no option to disagree at all!
Under GDPR, that’s now all gone. Companies may not pre-fill checkboxes to obtain consent, and may not do the negative (i.e., leave it unchecked and state that you need to opt-out by checking the box). You need to perform the action to opt-in.
Better still – buying a product is no longer considered consent to allow marketing.
Why GDPR is a Brilliant Thing: Reason 11. – Legalese/Legalshmese
A lawyer once told me that if you want people to read your terms and conditions, write them in plain English and in one column. If you don’t want people to read your terms and conditions, write them in ‘legalese’ (i.e., heavy legal terminology) and write them two columns per page.
Bit mean isn’t it.
But no more! With GDPR, Privacy Policies and Terms & Conditions must be written clearly and in plain English.
No more hiding things from consumers.
Why have I been getting just Privacy Notices from some Companies and Opt-Ins from others?
There are a few reasons for this.
A) Firstly, not all companies have properly investigated or understood the regulations. They’ve seen that others are asking people to opt-in again and are just doing the same, or instead just telling you that they’ve updated their privacy policy.
The main reason though is that the approach for the reasons 1-3 above is different.
An example is probably the best way to illustrate this:
B) Let’s say you’re not a GFTB member. In this case, the data we hold on you is based on your consent, so reason 1 applies, and in this case, we must re-obtain your consent to market to you and acknowledge our Privacy Policy.
C) Let’s say you are a GFTB member. In this case, the data we hold on you is based on needing to have the data to fulfil our contract with you, and in this case, we do not need to re-obtain your consent, but we do need to show you our new Privacy Policy.
D) Let’s say you are an ex-GFTB member. In this case, the data we hold on you is based on needing to retain it for regulatory/financial reasons – it will be redacted (for full details on this see our Privacy Policy!) – and in this case we do not need to re-obtain your consent, but we do need to show you our new Privacy Policy.
These three paragraphs are why everyone is doing it differently, and sometimes on a customer-by-customer basis.
Which Companies Are Doing It Right?
Not everyone is getting this right of course, and many smaller companies, woefully so. Be aware of these companies because if they aren’t getting it right at this stage, they are likely not being responsible with your data or protecting it properly either.
If you’re one of the customers being asked to re-opt in as opposed to being just shown the Privacy Policy, a link to a Privacy Policy is no longer considered adequate – the privacy policy must be displayed in full, with black writing on white background (easy to read) and with a checkbox to opt into. Then, the company must have a provable timestamp of your consent stored for future reference.
Why Does That Matter?
It matters because we as consumers now have control over our data and we get to pick and choose who we give consent to and remove it if we’re uncomfortable.
If a company isn’t playing by the rules or has got it wrong – it’s likely that they aren’t treating your data with the respect it should be treated with either.
But I’m Not In Europe – Does it Affect Me?
Almost invariably, yes. All companies in Europe must comply with GDPR.
And….
All companies globally who have any European customer data in their systems must also comply.
What this means is that the vast majority of global companies now have two options;
- Keep two sets of Privacy Policies and two sets of Terms & Conditions for their EU and non-EU members.
- Do what almost all of them are doing, which is to bring the data standards for all of their customers up to the GDPR standards so everyone complies.
I’m in Britain – What Happens When Britain Leaves the EU?
The UK has already drafted legislation that almost exactly copies GDPR which will come into effect as soon as the UK leaves the European Union.
This means – there are no loopholes! There is no escape! Companies must comply with GDPR and then immediately with the UK version once Brexit occurs.
And don’t forget, any British companies will likely have EU customers and so must also comply with GDPR for the same reasons as say, the Americans.
In Conclusion: Why GDPR is a Brilliant Thing!
I hope by now that you agree with me that GDPR is one of the best things to happen to consumers, ever, and definitely since the advent of the internet.
We, as consumers now get the best of both worlds; we get to pick and choose where our data is kept, how long they keep it for, and if we’re not happy, we can choose to remove it. If they break the rules, we can report them. If they do not keep our data securely, we can see publicly what’s happened to our information.
Yes – it’s been a pain in the arse for us all to go through the vast amounts of GDPR emails we’ve received from companies – but this is a one-off exercise! As of today – it’s done!
And for GFTB as a company? Well, we’re just as happy. We can now provide much more focused emails to our customers, in lower quantities than before. We know that in our database, everyone who is there….genuinely wants to be there…..right now. And if they decide that GFTB isn’t for them? No problem – we’ll part as friends, knowing that we’ve been as responsible to them and their data as we could have been.
Those companies who fear change and do not move with the times will soon suffer the consequences of their lack of action…
So is GDPR a brilliant thing?
You bet your bottom €Euro!
Hugh Edwards, 25th May 2018.
StephenRyder says
At last, GDPR in an understandable form.