GDPR (and personal data)
GDPR
On 25 May 2018 the General Data Protection Regulations (GDPR) came into force and replaced the Data Protection Act (DPA). The aim is to give people more control over how their personal data is used and get businesses to be more transparent over how it will be used.
Therefore you should give more thought about how you are using the data that you collect through your networking activities (and your business should have a GDPR policy).
- GDPR relates to personal data only. This will include name address email address etc – anything that allows the individual to be identified. This also includes photographs.
- GDPR applies to all data everywhere, wherever it is stored (it doesn’t have to be electronic) so this will include paper files, notebooks, and business cards.
- This personal data should not leave the EEA (and therefore wherever you choose to store the data electronically should be GDPR compliant/be covered by an agreement). Therefore there is potentially an issue with many of the services that you already use due to a lack of the continuing lack of awareness in the US (and cost).
- You cannot retain data indefinitely. You should consider what data you are retaining and for how long as part of your consent process.
GDPR and emails
You will need a lawful basis for sending an email (which is a type of processing). It is likely that you will decide that consent is the lawful basis, and that will probably be the case if you send out marketing emails you need to make sure you have a record of when consent was given and that the person had the details required by the GDPR. The easiest way to do this is to make sure that your privacy policy has the requisite information and direct them to your privacy policy (by sending them an email stating that your policy has been updated if they are an existing consented contact) or by including reference / link to this when you ask for their consent to sign up (for new contacts post-GDPR).
Don’t forget (as mentioned above) if you are using the data in services such as MailChimp or a CRM you need to check where they store data. If it is outside of the EU, their privacy policy should say if it is covered by an agreement such as Privacy Shield.
GDPR and Business cards
If you are at a networking event and come away with business cards of people you want to talk to later you should have a legitimate reason to follow-up with them as you will have their consent (which may be implied consent) by exchanging business cards. However, it is likely that this consent will only be for a specific purpose e.g. a direct follow-up. Not consent to be added to a marketing list/email list and you will need to get further consent for them.
So if this is something you would like to do you should as part of your follow-up email, ask for consent. For example, you could include a link to a page where they could sign up to your email updates.
Finally please note that this post (and the others in our GDPR series) are not legal advice and should not be relied on as such.