What you actually need to do about GDPR right now

So, here we are, 3 days to go, too late to really do anything. So supposing you’ve only just decided that perhaps you might need to think about it a little bit, what do you need to do now?

Well.

  1. You do need to read the guidance, and have senior management read the guidance, and take it seriously, and WRITE DOWN your policies, EVEN if what you currently do now is fully in compliance and you don’t need to change a thing.
  1. Go through this checklist
  1. Assuming you are not doing anything immoral to start with, you probably don’t need to change anything much.

  2. You definitely don’t need to email everyone you’ve ever sold a ticket to, asking for permission to store their data in your database. Under GDPR there are 6 lawful bases for processing data

and if someone has bought a ticket from you, you don’t need to rely on consent. Performance of contract and legitimate interest have you covered.

  1. IF your email marking list is of unknown provenance, imported into Monad from some Excel spreadsheet you used to maintain by hand or from another ticketing system, and you can’t offer any evidence that someone has consented to marketing emails other than “um there’s a tick in the box so they must have done”, you probably should refresh consent for that list before using it. You probably should refresh consent for that list anyway, whether it’s legally required or not. If you don’t actually use email marketing, then don’t request consent for something you don’t actually plan to do.

  2. When designing your new, GDPR compliant marketing permission questions, do be as specific as possible. “May we send your data to selected partners?” is no longer adequate. 3rd parties need to be explicitly identified by name, and best practice is for email lists to be specific about their content and frequency.

  3. Not that you would, because you’re nice, but it isn’t ok to bundle consent. You can’t include marketing consent in the T&Cs that someone has to agree to to buy a ticket: they have to be able to opt in and out of consent-based processing (i.e. marketing) separately. Being granular is part of being specific. Someone might want to receive your regular monthly programme emails without agreeing to any other marketing email you feel like sending.

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.