DeHavilland & GDPR
At DeHavilland, we’re not only committed to providing you with political intelligence and research that empowers your business and the decisions you make, but we’re also dedicated to constantly improving our own performance, particularly in the digital economy. The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018, governing how personal data must be processed and stored. We embrace the opportunity that the GDPR presents to build trust and improve customer experiences by driving GDPR compliance throughout our organisation.
GDPR will not stop DeHavilland’s customers from using - or require them to change the way in which they use - our services, if what was being done before was lawful. DeHavilland’s data is provided to customers based on the legitimate interest of political engagement.
Please note: Customers are responsible for ensuring their own data processes are compliant.
What is GDPR?
The GDPR is a legislation governing privacy and data protection. It imposes new obligations on organisations that control or process personal data with a view to giving individuals greater control over how their data is used. Although the GDPR is a European regulation, the GDPR will still applies to companies based outside of the EU if they are dealing with personal data belonging to data subjects within the EU residents or if they have a European seat.
In addition to the GDPR, electronic marketing communications are also covered by the member state implementing legislation of the ePrivacy Directive.
How does this impact DeHavilland?
In order to drive continual compliance with all data regulations in our business, we audit and update our processes on an ongoing basis. We are registered with the Information Commissioner as a data controller, and we have appointed a dedicated Data Protection Officer to maintain our business’ compliance.
What has DeHavilland done to become GDPR compliant?
Here are just some of the things we do at DeHavilland to ensure respect for privacy. This is not about becoming compliant, but remaining compliant:
- THE PRIVACY TEAM: Oversee GDPR activities and, with the appointment of our Data Protection Officer, continue to drive privacy compliance
- THE DATA LIFECYCLE: Map our collection, storage and use of Personally Identifiable Information/personal data
- THE POLICIES: More formally documenting our privacy practices to comply with the GDPR enhanced record keeping requirements.
- THE PROCESS: Update (as relevant) privacy and data security related policies, processes and controls incorporating privacy be design into our product development processes
- THE EMPLOYEE AWARENESS: Educate and train our employees across a range of mediums to ensure awareness and vigilance when dealing with data in day-to-day working life
- THE CODES OF CONDUCT: Ensure our suppliers and partners agree to our third party code of conduct (or equivalent) and have the right contract terms in place
- THE SAFEGUARDS: Ensure all data transfers (inter-company and otherwise) are only made with adequate protections in place
Does DeHavilland need to obtain opt-in consent?
Provided DeHavilland’s data is not used for marketing purposes (but instead political engagement as intended), opt-in consent is not required in order for third-parties to make use of DeHavilland data. According to the GDPR guidelines, opt-in consent is only one of six grounds for using data. Opt-in consent is not realistic for data sets such as that offered by DeHavilland. Under the GDPR consent must be specific and informed. In accordance with the Information Commissioner’s Office (ICO) GDPR draft consent guidance, this would require all third-parties who may access an individual’s personal data to be named, and for each use of the data to be specified.
Customers must therefore use a different processing ground, such as legitimate interest, to use DeHavilland data. If legitimate interest is relied upon, the ICO recommends conducting a legitimate interest assessment. It is important that this legitimate interest is not intended/allowed to provide an excuse for disregarding an individual’s privacy rights, which must be fully respected at all times.
How does this impact DeHavilland customers?
GDPR will not stop customers from using – or require them to change the way in which they use – our services if what was being done before was lawful.
Our database is updated in real-time and so will always reflect the most up-to-date status of any individual’s consent to be on our database. Customers are strongly advised to use the most recent data on our system to ensure compliance.
Does using DeHavilland data ensure customers are GDPR compliant?
Customers are responsible for their own data practices and must ensure that they are compliant with all relevant regulations.
Please be aware that this statement does not constitute as legal advice. If you want to know what your legal position is, we suggest that you obtain legal advice specific to your circumstances.
What’s next for DeHavilland in the realm of privacy?
We believe that compliance is not a destination, but an ongoing journey. We review our processes and practices on an ongoing basis to ensure that our customer relationships remain ones of trust, empathy and based on the united goal to make your business better, every day.