Whichever you are, there are implications in the General Data Protection Regulations that you need to know about.
The General Data Protection Regulations (GDPR to friends and associates) are coming into force in the UK in May 2018. “Ah”, you say, “but these are EU regulations and we are Brexiting!”. Yes, true, but if Article 50 is triggered at the end of March next year, we will be in the EU until March 2019, so GDPR will come to pass.
So, back to my original question “Are you a controller or a processor?” The ICO gives us this handy definition “the controller’ says how and why personal data is processed and the processor acts on the controller’s behalf.” Managers and doers in other words.
So, what does each have to do?
GDPR places specific legal obligations on both Controllers and Processors. So, if you are employing an agency for direct mail, emailing or telemarketing you are a controller. The agency using the data, the processor, has legal obligations to maintain records of personal data and processing activities. Under GDPR, they will now face far tougher penalties if they breach the rules.
“So!” you cry, “I can bung them the data and I am off the hook!”
Not so fast, my friend; you can’t pass the buck that easily. According to the ICO, if you are a controller, it is your responsibility to ensure your contracts with processors comply with the GDPR.
“I could go to a non-EU agency for my telemarketing and then they couldn’t touch me.”
Again, not so fast! GDPR also applies to organisations outside the EU that offer goods or services to EU citizens. You can’t escape!
GDPR is coming and you’d better be prepared! Next time, we’ll take a look at the actual information controlled under GDPR – bet you can’t wait!