BBC Radio 5 live interviews Deputy Information Commissioner on GDPR

With the subject of GDPR finally hitting mainstream news, BBC Radio 5 Live presenters Sean Farringdon and Rachel Burden interview the Deputy Information Commissioner, Steve Wood on the imminent Data Protection Regulation changes.

We’ve highlighted some of the main points of discussion for you, and you can watch the interview recording at the bottom of the page.

Is the GDPR something small and micro businesses need to abide by?

The regulations set out in the current Data Protection Act 1998 applies to organisations of all sizes that store, collect and share personal data. This includes the new and updated rules of the General Data Protection Regulation.

That said, Steve Wood told BBC Radio 5 Live that micro businesses that are doing straightforward things with personal data should keep their approach to GDPR just as simple.

The main points organisations need to understand are:

  • The types of data they have;
  • How they will protect it; and
  • That they are providing clear information to their customers


In response to a listener’s question about his small business and if he is able to retain the email addresses of his clients, Steve Wood, the ICO’s Deputy Information Commissioner said:

“If (he) already has an existing relationship with his clients and he is selling them services or goods, and they have already purchased things from him, then the law allows that relationship to continue. In that situation it is likely that (he) can continue to send marketing information to those members of the public he is serving and there shouldn’t be a problem there.”


Does the GDPR say that we can keep business cards and data that is not digitally stored?

Mr Wood says that if the data is required in order for the business to operate and contact their clients, then they can keep that information. The organisation’s “need and purpose” to keep that data should be easily described and demonstrated.

“The new law isn’t about disrupting important things that businesses need to do.”

Organisations should pay particular attention to email lists, for example, where they don’t know where or how they obtained them. In this situation, lists should be cleaned and where appropriate new opt-ins should be obtained.


Does the GDPR cover post and cold calls?

The GDPR covers all possible permutations of how personal data can be used. This includes post, which is known as Direct Marketing.

‘Nuisance’ cold calls and text messages are covered by the Privacy and Electronic Communications Regulations (PECR) that works side by side with the Data Protection Act. The GDPR gives the Information Commissioner’s Office greater power, with higher fines awarded to the worst offenders.

What do I need to consider when taking personal data out of the office?

Security measures should be put in place when your work requires you to take documents or devices that hold personal data home with you. Policies should take into account the following:

  • Is it absolutely necessary to take this information off the premises?
  • Do you have a secure locked area at home where you can store it overnight?
  • Are your devices password protected and sensitive information encrypted?
  • Have you installed and enabled a ‘find my device’ and remote wipe application in case it is lost or stolen?

In summary

Albeit a surface scratcher of GDPR, the BBC Radio 5 Live interview did highlight the fundamentals of an organisation’s personal data responsibilities.

It is a requirement to have a clear privacy notice in place that is integrated into your website, email and other marketing channels – Essentially, giving your customers ample opportunity to see it, understand it and accept it.

Be sensible with personal data. Can this individual or organisation reasonably expect to hear from me? Did they give me consent to market to them? Have I asked them to opt into my marketing communications?

If you can confidently answer yes to those questions, are you just as confident that you can demonstrate that fact?

Much of GDPR boils down to careful documentation of:

  1. What information you have
  2. What you have done to prevent it getting into the wrong hands
  3. What you will do if/when it does get into the wrong hands
  4. What you plan to do with that information, when, and how long you’ll keep it.

Want a simple joined up way of getting that done?