Dealing with GDPR

by | 25th September 2020

Dealing with GDPR.

As with a lot of legislation, GDPR can seem like a labyrinth of complexity, and, Neptik, as a lead generation, email marketing and data processing service provider, has gone to great lengths to ensure that we’re set up to deal with any and all GDPR issues and that both we and our clients are fully compliant.

That said, being as we operate exclusively in the B2B arena, and that we only contact people within organisations [not individuals or sole traders], the compliance rules of GDPR do not apply to the work we undertake for our clients [now, this may change in the future, and, if it does, we will update our systems – and you – accordingly].

Put in the most simple way, GDPR is designed to stop individuals having their personal data used/abused by organisations who might want to reach them/sell goods or services to them without either consent or there being an existing relationship in place.

If, however, their contact details are already in the public domain [for example, on their company website, their LinkedIn profile or any other publicly available database], then, for the purposes of GDPR, this is no longer classed as Personal Identifying Information (PII), and, as such, no legislation is being contravened.

Should the contact wish to opt out, we would immediately update our lists and remove them from our database [to hold this information, or worse yet, to continue contacting them, is a breach of GDPR guidelines].

When we officially leave the EU, according to the government  “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.

So, long story short – the outreach work we undertake for our clients falls outside of GDPR rules, but we’re constantly monitoring the situation and maintaining compliance where necessary.

As far as the ‘small print’ goes:

The new regulations seek to enforce accountability of data controllers and data processors for their practices – meaning companies will now have to demonstrate how and why they have collected data, that they have processed it lawfully, and that they have stored it securely.

The GDPR draws a distinction between a ‘controller’ and a ‘processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. The GDPR defines these terms:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.