[Andy Smith, Managing Director, Corpdata]

A number of people have asked how we’re approaching GDPR. I think partly because they’re trying to figure out how our data is going to be able to support their marketing in the future. Partly because I think it’s a good working example of how you need to perhaps change your business thinking to figure out how GDPR is going to be accommodated properly. So with that in mind, this particular video is a slight different one. It’s more of an advert for Corpdata’s day job which is helping people do direct marketing with B2B data here in the UK but it does show the thought process we’ve gone through that you might be able to translate to some of your own business practices.

Lawful, Fair and Transparent

We’re going to take the six principles of GDPR, one at a time and try to identify what we’ve been doing. In terms of lawfulness, fairness and transparency, when we gather the data and check it, we explain that it will be supplied to other companies to use for direct marketing, so long as the product or service in question is relevant to them and their professional capacity. They may not want to buy it but they should at least understand why it was appropriate to tell them about it.We ask if that’s acceptable to them. We further seek to to be clear about their wishes by asking if they’re happy for marketing via post, phone or email and we record those preferences. Most people in business are happy to receive relevant marketing and many people say they need the information to continue to fulfil their job role effectively.In fact, we’re finding that from the hundreds of thousands of conversations we’ve had, over 90% of people give permission for postal and email marketing and about 70% are giving permission for telephone marketing. After the call, we send an email showing the personal data we hold, the preferences we've recorded and again explain how the data will be used. We also inform them of the fact that they have rights that they can refuse if they wish. Furthermore, they can complain if they want to and we provide all the information that they might need to be able to complain to us or indeed to the ICO. We are processing the data under the legal basis of legitimate interest and this too is explained to the data subject. We also recognise that our usage involves us passing data to third-parties. We’ve made it part of our responsibility to check that a company wishing to use our data understands their responsibilities to both corpdata and the data subject in terms of how that can be done. We conduct a Legitimate Interest Assessment (Balancing Test) about every proposed client usage and often help our client conduct their own Legitimate Interest Assessment so that they can also show that they have cared about how to use data legally and ethically. It does also form part of the paperwork required to demonstrate compliance. Finally, GDPR requires that we should be able to demonstrate that we comply with the rules. To that end, we have call recordings which allow us to check that the researcher is doing their job correctly. All the researchers are based in the UK, they’re all on permanent contracts and they’ve all been trained in the importance of data protection and data accuracy. We do not outsource nor do we store personal data elsewhere in the world or on the cloud. We think we’ve been very transparent, aptly fair and fully lawful.   

Purpose Limitation

We’ve clearly identified what we will use the personal data for and we don’t use it for anything else. We go beyond that though. Our licenses to clients wishing to use the data for marketing are also increasingly clear about the conditions of usage of the data. We’re trying to ensure that the data and the data subject is treated properly and by agreeing the usage with the client in advance, we also help them comply with the GDPR purpose limitations.

Data Minimisation

Simply, the personal data processed is the minimum that could be done to perform the intended task.

Accuracy

In terms of accuracy, we re-contact data subjects if ever we come to believe that there may be a flaw in the data. In any event, we re-validate the data and the permissions for its use on a regular rolling cycle. For our clients, as part of our rolling license they get updates to the data twice per month. This allows us to ensure that any improvements in the accuracy of the data get reflected in the data being used by a client as promptly as possible, as well as cascading any changes to permission the subject might make.

Storage Limitation

The data is stored and processed for as long as it is accurate, and needed and no longer. Our licenses too have been changed to encourage clients to only use the data for as long as it is helpful and needed. To do this, we’ve scrapped our old 12 month license and our eternal license replacing them with a rolling license. The rolling license includes the updates and it has a small peppercorn monthly rent. This is deliberately designed to align the urges of a marketing client with the storage limitation principle. For as long as it is helpful and needed, the client must pay the small ongoing fee. If ever it isn’t worth paying that fee anymore, then it would suggest that it’s no longer worthwhile or needed and therefore it should be deleted.

Integrity & Confidentiality

We have duplicated server systems which provide a high level of redundancy as well as regular backups both on and off-site. The systems are patched regularly for updates and make use of leading firewall, anti-virus and anti-malware facilities. Separately, the server rooms have a proper access control limiting the access to only those people who require it. When the data is moved outside of our servers, it is done in a secure and encrypted way with only people who need access to the data getting access to the data.

And then of course underneath all of that, there’s the concept of accountability which goes through GDPR from end to end. I hope that you recognise that we’ve tried to change what we do to try and embrace the accountability and the responsibility there is to look after the data that’s been entrusted to us. We’ve also then taken that a few stages further to try to make sure that our clients automatically treat with the same respect the data that we’re going to put into their hands as they do their marketing. Hopefully that opens the window on what corpdata has been doing. If you need any of our data, give us a call.