Don't buy 2018 Natural Stone Show mailing lists without reading this

Online protection. Most of the data held by most companies about their customers and employees will become illegal on 25 May. Find out more at bit.ly/GDPR4SME.

Don't buy what are being described in emails from Ashley Emery (and other names) as 'Natural Stone Show 2018 Attendees email lists' if you expect to get a list of people and companies who attended the Natural Stone Show in London this year.

Whatever Ashley Emery and the others sending the same email are offering, It is NOT details about those attending the Natural Stone Show in London this year because there was NOT a Natural Stone Show in London this year. The Show is every other year and the next one is 30 April to 2 May 2019. Visitor registration details are never passed on to a third party to be be put on sale.

The email does not say the Natural Stone Show it refers to is the London event, but recipients in the UK might assume that is what it means. It does not say where the show that the email refers to was held, and with a reference to zip codes being included in the information, the adresses you receive (if you receive any) might be American. Or perhaps not. Who knows?

If you could buy a list of names, addresses, email addresses, websites, revenues, number of employees and all the other information said to be included on this list and put it on a computer, it would probably contravene the Data Protection Act and will certainly contravene the General Data Protection Regulation (GDPR) that replaces the Act in May.

If you are not familiar with GDPR, you should be. It is designed to protect people from fraud. It requires all firms that hold details (and who doesn't?) about customers or emloyees (or anyone else) on computers to know what they have and where it's kept. To store the information, let alone use it, you have to have the specific consent of the individuals whose data you have. Dates have to be recorded when that permission was given and supporting evidence of the consent having been given must be kept. And if the individual withdraws their consent, which they can do at any time, their details must be removed immediately and permanently. It is not enough simply to remove them from a mailing list.

Consent to store and use individuals' details such as addresses, telephone numbers, emails, and so on, requires active agreement, not just a pre-ticked box. Companies will have to show a clear audit trail of consent, including screen grabs or consent forms.

The legislation comes from Europe but the British Government shows no inclination to remove it after Brexit. It is happy to accept it as a means of avoiding having to formulate its own legislation along the same lines. 

The move is a response to cybercrime, which in 2016 cost UK companies more than £1billion. And the sum is growing. Major data breaches have also given criminals access to names, birthdates and addresses, social security and pension information, even bank accounts.

Large corporations are best at protecting themselves, so most targets of cybercrime are small to medium sized enterprises (SMEs), which often have minimal protection of their computers and the data they hold on them.

In the event of a data breach, GDPR requires companies to inform the relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.

Are you ready for the change? There is advice specifically for SMEs on the Information Commissioner's Office website here, including guidance you can download.