Welcome to episode 183, this week I am dedicating the whole episode to this much requested subject. GDPR is coming next year whether we like it or not so it’s time to start educating ourselves on the dangers and opportunities this presents.

With that in mind I have taken time to speak with three individuals, two of which are interviewed on this show.
As a result, I am skipping any news, cool things or questions this week and will revert back to our normal format next week.

My first interview is with Privacy, Cyber Security and Risk Advisor Jeremy Kajendran who is the UK Privacy Practice Leader for EY

Key points from Jeremy;
GDPR = General Data Protection Regulation
Data protection act has been in place since 1998 but GDPR is intended to bring the legislation up to date with today’s technology and business practices. Fines are greater and organisations are now having to ensure they are compliant.
Fines can be for up to 4% of global turnover or £20,000
It is a criminal offence in the UK to not be registered with the ICO (Information Commissioners Office)
Individuals have a right to access to their data (this hasn’t changed)
Individuals can now ask you to delete their data and stop processing their data as well as asking you to send it back to them.
The ICO is concerned in protecting individuals from abuse of their privacy.
The Privacy and Electronic Communications Regulations also run in tandem with GDPR and also worth being familiar with because they could be more onerous.
Continual opt-in is not a requirement of GDPR. People have to be asked to opt-in to something which is explicit just once but are always given the option to opt-out.
It’s unlikely that the ICO will be interested in one off unsolicited emails. If however a recipient asks to receive no more emails then you must respect their wishes and could be in trouble if you don’t.
There will be lots of publicity in May next year which may increase the amount of complaints the ICO receive and in practical terms they are unlikely to be able to follow all of them up. They will prioritise on a risk basis.
If you are an organisation that processes data on anyone within the EU then you are subject to the GDPR
LinkedIn Forms are a way of collecting data on people so you are the data controller once you take that information from LinkedIn. The form should make it explicitly clear that by adding details an individual is agreeing to receiving more than just the information advertised (ie an e-book). A double opt-in is helpful but the days of signing up for a giveaway is not permission to send them anything else, unless they explicitly opt-in for ongoing communications. Ideally this should be included in the sign up form on LinkedIn
Explicit opt-in can be a very positive thing because your list open rate is likely to be much higher.

TOP 10 Questions To Ask A GDPR Expert by Jeremy Kajendran

Jeremy’s InfoRisky Podcast.

I also had a chat with Kim Bradford who also specialises in GDPR but tends to focus on it from the perspective of small businesses and solopreneurs.

Advice from Kim;

If you process data on anyone, you need to register with the ICO in the UK. Data can in theory include keeping their email asking you to take them to remove your data!
Registering with the ICO (UK only) may help to mitigate any issues. Put simply a good analogy would be that being investigated and fined by the ICO is like getting caught speeding but not being registered is like getting caught speeding without a valid drivers licence!
Email providers are slow to react and some appear to be trying to push responsibility onto their customers - perhaps LinkedIn may do the same.
The ICO are going to issue very clear guidance to people on what businesses can and can’t do regarding their data and clarifying their rights on data. This may lead to some people reporting you and even if you have done nothing wrong, the ICO may want to investigate how you hold and use other data (opening a can of worms)
It’s possible that LinkedIn may remove or at least significantly change the feature that allows you to download your connections.

Advice from Kim;

If you process data on anyone, you need to register with the ICO in the UK. Data can in theory include keeping their email asking you to take them to remove your data!
Registering with the ICO (UK only) may help to mitigate any issues. Put simply a good analogy would be that being investigated and fined by the ICO is like getting caught speeding but not being registered is like getting caught speeding without a valid drivers licence!
Email providers are slow to react and some appear to be trying to push responsibility onto their customers - perhaps LinkedIn may do the same.
The ICO are going to issue very clear guidance to people on what businesses can and can’t do regarding their data and clarifying their rights on data. This may lead to some people reporting you and even if you have done nothing wrong, the ICO may want to investigate how you hold and use other data (opening a can of worms)
It’s possible that LinkedIn may remove or at least significantly change the feature that allows you to download your connections.