July 14th, 2016
I recently received a white goods delivery from an online order. It was as expected: I received a text the night before to confirm delivery, an email in the morning from the delivery company with tracking showing exactly where the lorry was and a courtesy phone call from the lorry driver to say they were 10 minutes away. Great communication from the operations team of that company.
I also received a call later in the day to check the delivery had occurred and to try and sell an extended breakdown cover package. The last call is questionable whether it was illegal because I didn’t give permission for marketing, only case law and time will tell as some companies will say there is a justified interest in selling an extended breakdown cover. If illegal it may, potentially, incur large fines. All the rest is legal under the General Data Protection Regulation (GDPR) providing the handling of the data after use is properly managed. Be aware that if a third party is delivering you products, you need to ensure this third party does delete the information. It’s the ultimate responsibility and liability of the provider of the information to ensure it is used, stored and deleted correctly.
Assume I decide to ask for all my personal information to be removed. Where is my email address and mobile phone number stored? Also my mobile phone number has been on the driver’s mobile phone. Is the driver self-employed or employed by a different company? Does the delivery company also have a data policy that is acceptable and is implemented? Does the supply company audit the delivery company’s data – under GDPR they’re responsible for the data they give to the delivery company.
Assume it’s easy to erase that data from the current files? Have you thought about the back-up systems and how to remove the information? GDPR will need to be considered from an operations viewpoint. Possible solutions to the above scenario are to:
- Ensure there is a tick box for the client to indicate they want to be kept up to date about the delivery by phone/text/email. It could also include checking that a courtesy call may be made to validate the delivery was to your satisfaction.
- Create and implement (or update) your data policy for suitability for GDPR.
- Ensure the transport provider has a suitable data policy which should include deleting personal information xx days after delivery.
- Plan and undertake a data audit of the delivery company to check your data requirements have been actioned. It’s your responsibility if your supplier has a data issue with data you supplied.
- Provide a check box to ask permission to update the client about any recalls / repairs.
- Write a letter. If the client hasn’t ticked the box and, after checking the client is not on the mail preference service, send a letter about the extended warranty instead of a phone call.
- Implement a system for handling requests for deleting personal data from all your systems – including back-ups.
For an informal discussion to clarify GDPR compliance, please contact Aidan Salter via LinkedIn, call 01993 883421, 07801 039600 or email ku.oc1529412103.ycna1529412103tlusn1529412103oc-eh1529412103t@ret1529412103laS.n1529412103adiA1529412103
If you’ve found this blog interesting/useful, please ‘like’ or ‘share’ on your favourite social media channel so it can help others too.