This article is written by the Law Firm Glimstedt in Gothenburg. If you have further questions about GDPR, please contact us at www.glimstedt.se

6 quick tips from the lawyer about GDPR

There is considerable concern about the forthcoming data protection law, GDPR. High penalty charges and complicated regulations frighten many people. Here are six tips for those of you who work in marketing.

1. Consider obtaining more consent         

All processing of personal data must have a legal basis. You may send direct mail to active customers in both B2B and B2C relationships with the contract relationship as legal basis and, as a general rule, you may send relevant direct mail to people in B2B relationships on the legal ground ‘legitimate interest’. However, the safest and best thing to do is to use the legal basis ‘consent’ for as many relationships as possible. Obtaining consent also aligns better with the principle of inbound marketing. That people have agreed to receive information should be viewed as something positive. This means that they are actually interested in the company and are receptive to the message in the e-mail. An important aspect of obtaining consent is the mandatory information about the processing that must be provided when the consent is obtained from the customer. Those who will have the most success in their marketing within the framework of GDPR are those who are able to incorporate the information into their normal communication with the customer.

2. The legal ground ‘legitimate interest’ is complicated 

As mentioned above, there is the possibility (primarily in B2B relationships) to use the legal basis ‘legitimate interest’ in e-mail marketing. The Swedish Data Protection Authority has previously approved the trade organisation SWEDMA’s guidelines of what constitutes legitimate interest (the guidelines may however be updated after the implementation of GDPR). As a general rule, these guidelines prohibit the collection of e-mail addresses in B2C relationships without consent. Exceptions are made for so-called ‘soft opt ins’, where collection and mailing may be carried out in connection with sales negotiations under certain conditions. In B2B relationships, the assessment is much more discretionary. As a general rule, it is legitimate to collect and send marketing material via e-mail with the objective to reach people in one’s professional role. There are, however, limitations concerning, among others, sole proprietors that are important to be aware of.

3. Screening

There are no determinations for how long data collected on the basis of ‘legitimate interest’ may be saved. A maximum period of time should be established, and you should have procedures in place to screen data after a certain time, or when it may be assumed that it is out of date. Where possible, you should consider strategies for converting addresses based on legitimate interests to consent to have a legal basis for saving the data for a longer period of time.

4. Watch out for profiling

The analytical tools that make it possible to profile potential customers have become more numerous and more refined. GDPR will force major data collectors like Google and Facebook to make changes in their data collection and profiling approaches. For example, Google will no longer be able to collect data from Gmail in the same way as they cannot guarantee that all e-mail recipients have agreed to the processing. As mentioned, GDPR places high demands on companies engaged in profiling. If you have your own analytical tools that enable profiling, regardless of level, it is high time to start investigating what actions must be taken to be able to comply with the regulation.

5. Stop relying on the Rule of Abuse

Previously, Sweden has had an exception for unstructured personal data, often referred to as the ‘Rule of Abuse’. This relates, for example, to personal data in running text, e-mail and images in social media. This exception will disappear with the implementation of GDPR. To be allowed to post an image of an individual in social media through a channel that you as a company controls, the company must ensure that valid consent to the publication has been obtained.

6. Do you store data on servers outside the EU?

Section 10 in the data protection officer agreement regulates this issue. If data is sent out of the EU, the country to which it is sent must have an ‘adequate level of data protection’. If this is not the case, you must enter into a supplementary agreement based on the EU’s standard contractual clauses (also referred to as model contract clauses). In the USA, companies must be ‘Privacy Shield’ legitimised for an adequate protection level to exist (and no additional agreement required). It is your responsibility to investigate whether your supplier complies with the requirements of GDPR.

This article is written by the Law Firm Glimstedt in Gothenburg. If you have further questions about GDPR, please contact us at www.glimstedt.se

 

Lämna följande fält tomt