ISSUE 2 - GRC's GDPR GUIDE


GDPR Guide SME NEW WINNER 2022 GRC INFORMATION MANAGEMENT SERVICES


I want to say a HUGE personal thank you for choosing to read my newsletter. I know your time is extremely valuable, so thank you.


In this edition, I’ll be covering three things:


1. Do You Always Ask For Consent?

2. Is It Too Late To Become GDPR Compliant?

3. Thriving in Your Business

GDPR Guide SME NEW WINNER 2022 GRC INFORMATION MANAGEMENT SERVICES

Do You Always Ask For Consent?

In March and April 2022 – GRC ran eight free GDPR and Data Protection Clinics for freelancers and businesses in order to answer their on-the-spot questions. There were lots of questions about relying on consent under GDPR – eg. Do I need clients’ consent before I do business with them? If I get clients’ consent to hold their data to process their orders, can I then add their details to my marketing database?


It quickly became apparent that business owners typically think that seeking consent is always the right thing to do under GDPR.


Under GDPR, as a business owner, you make decisions on the data you need, why you need it and how you will obtain it and you must rely on at least one of the following to justify why you are collecting and processing other peoples’ data:


Consent

The individual has given you permission and clear consent to use their data for a specific purpose. There are specific rules that must be followed if you are relying on consent.

Performance of a Contract

The individual has given you their data because it allows you to perform a contract that they have entered into with your business.

Legitimate Interest

The individual has given you their data because it allows you to carry out an activity that the individual would normally expect from your business like marketing or the use of CCTV.

There are specific rules that must be followed if you are relying on Legitimate Interest under GDPR.

Vital Interest

In this instance, the processing is necessary to protect someone’s life. This commonly occurs in medical emergency situations where personal data is accessed in order to save someone’s life.

Legal Requirement

The processing is necessary for your business to comply with the law -eg data processing that is necessary to meet a legal obligation such as financial compliance requirements or accountancy requirements.

Public Task

The processing is necessary for your business to perform a task in the public interest and the task or function has a clear basis in law. Data processing is done by a government entity or an organisation acting on behalf of a government entity.

The Short Answer!

Therefore, the short answer is “No”: you do not always need to rely on Consent. There are 6 types of lawful basis that you can use and Consent is just one lawful basis.

For more information about the Lawful Basis for Processing, click on the link below:

https://ico.org.uk/for-organisations/accountability-framework/records-of-processing-and-lawful-basis/



GDPR Guide SME NEW WINNER 2022 GRC INFORMATION MANAGEMENT SERVICES


Is It Too Late To Become GDPR Compliant?

As a business owner, you are responsible for the personal data that you hold and it will always be your responsibility to demonstrate your commitment to GDPR and data protection requirements.


As freelancers, micro business owners or SMEs we are stretched to the limit in setting up, running and/or growing our business; and navigating our way through digital marketing and social media so GDPR planning might take a back seat. It’s never too late to start and you do need to get started by taking one step at a time.


Now is a good time to circle back and invest time in enhancing your commitment to GDPR with the “Take Three Takeaways” which will hopefully motivate you to take action:


a) List the data protection tasks that you have done eg. paid the Information Commissioner’s Office (ICO) data protection fee, popped a Cookie banner pop-up on your website, and published a Privacy Notice on your website.


b) Find out what else you need to do eg and talk to a GDPR or Data Protection specialist who is willing to do a quick gap analysis which will highlight the additional things you must do


c) Talk to three people eg. Find out what your business colleagues are doing to manage GDPR and data protection within their business

If I can encourage you to believe that you have the ability to get started with GDPR and data protection and then take effective steps to prepare a “To-Do” list to keep you focused and accountable, I would also like to empower you to keep ongoing.

GDPR Guide SME NEW WINNER 2022 GRC INFORMATION MANAGEMENT SERVICES

Thriving in Business

Courage is the first step to everything and I have met so many lovely freelancers and business owners who have chosen self-employment because they want to take to be the catalyst for change and creativity. You’ve left fear behind and you’re taking action to build a business brand that is future-proof.

I want my services to be truly accessible to ambitious passionate businesses owners who are building a brand that values and respects individuals’ privacy and I would like more of that in the world, more of the time. Why? Because in helping you and I am connecting with businesses and communities that matter and you are opening the doors to change.

Join me as I share stories and adventures about the business owner superstars in my world who are using GDPR as a professional, creative solution to solve problems that matter

I hope you enjoyed reading my newsletter – if so, please consider replying to me:

christina@grcinfomanagement.com or Christina Tueje CIPP/E | LinkedIn