We recently caught up with Judith Andrews – Director of Business Tamer, otherwise known as ‘GDPR Guru’, to help outline some of the basics of GDPR and provide some reassurance in how to safely and sensibly manage data within your business.

What is GDPR?

GDPR is the common phrase for data protection in the UK and comes from the introduction of the General Data Protection Regulation in 2018. But it’s not just GDPR – there’s the Data Protection Act 2018 and the Privacy and Electronic Communication Regulations as well. These three together generally cover data protection and use for small businesses.

What does ‘legitimate interest mean’?

Legitimate interest is one of the 6 lawful bases in the GDPR which can be used to collect, use and store personal information. Briefly:

1. To use existing personal information with legitimate interest, you must believe that your customers/contacts would reasonably expect you to use their information for that purpose.

2. It is your responsibility to balance your legitimate interest to use the data against the interests, rights and freedoms of the individual concerned.

3. It’s a legal requirement to clearly explain your legitimate interests in your privacy notice

Legitimate interest is the most flexible, but you must document your reasons for using it, keep a record of that process and explain your conclusions clearly to the individuals concerned. 

When can you contact your customers?

You can contact them whenever you like – but no one likes spam!  When you first collect personal information from your customers/contacts whether that’s through a contact form on your website, at an event or in the process of an online sale, you need to inform your customers why you want their information and what you’re going to do with it.  So if you want to send weekly emails, tell your customers that’s what you’ll be doing!

Is there a max time frame you can keep someone in your database?

Keeping information depends on your retention policy – this will show that you’ve thought through how long you want to keep information, why you’re going to use it over that period of time, and how it is going to be stored during that time. Every business is unique, and the needs for keeping personal information will be unique as well. There are some statutory reasons for keeping information – for example, to meet tax regulations or employment legislation, but if your business needs to keep information for 10, 20 or 30 years, then you can. But you must make sure you’ve documented the reasons for doing so and also told your customers.

Privacy policies – simple steps for websites to be compliant

Privacy notices or policies don’t just apply to your website – this key document is to inform your customers/contacts why you want their personal information – what information you want, how you’re going to use it and how long you’re going to keep it for. You need to include a number of points such as contact information, your lawful basis, retention period, storage, sharing details, customer rights and finally how to make a complaint to the supervisory authority, the Information Commissioner’s Office. So many privacy notices, especially on websites, get confused about cookies – but there should be a separate policy that covers cookie use on a website. A privacy notice is about personal information use. There’s a great template on the ICO’s website which is free to use.