So there’s some new legislation on the scene and it’s kind of a big deal. If you haven’t of heard about it by now it’s called the General Data Protection Regulation and on the 25th May, GDPR comes into effect.
There is still some uncertainty about it, putting most business owners into a mild state of panic, but this article will cover the key points on what it is, what you should do and why you shouldn’t worry (too much).
So what is it?
The GDPR is pretty much what it says on the tin. It’s regulations put in place by the ICO to protect data used by businesses and making these businesses more accountable for the data they hold.
The many aims of the GDPR is to protect customers from businesses using data for malicious intent, provide clarity on how customer data is held and enforce businesses to review and strengthen their data storage procedures.
Now when you say data…
The data the GDPR refers to is any data that identifies a real person. For example info@yourwebsite.com doesn’t really have any human significance. But eloise@yourwebsite.com however, now identifies a real person. It identifies an Eloise at that company, and so you can see how this might have more pressing privacy concerns.
What should I do?
It all boils down to a data audit. You’ll need to establish all the ways in which your business collects and stores data, and document what you’re doing to ensure that data is protected. The types of questions you should be asking yourself for your audit are:
- Data description, what is it?
- Where is this data held?
- Where was the data collected?
- Was consent given?
- Why do you need it?
- How has it been secured?
Collecting Data
The collection of data needs to be fair, lawful and transparent. This means using the data for only the purposes specified, which needs to be clear in a privacy policy or terms and conditions. This also means collecting only the data you need for example you can’t ask people to provide their postal addresses if you will only make contact through email.
Consent
People will need to provide consent before you collect their data which means an end to pre-ticked ‘Join our mailing list’ boxes as well as the cheeky and misleading ’tick here to opt-out!’. The person has to make a positive action of consent and also have the right to withdraw consent at any time so make sure your unsubscribe buttons are clear and included in your promotional emails.
As you may have noticed in your inbox, there has been a huge explosion of GDPR emails. Companies asking their mailing list to give consent again. This is not necessary if you’ve already been given consent. As the Guardian says:
“…if the business had consent to communicate with you before GDPR, that consent probably carries over…”
https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts
Holding data
You need to be transparent about how you hold your data and only keep it for the agreed length of purpose. People can request how you’re holding their data and have the right to rectify, delete and erase their data. You’ll also need to consider how any 3rd parties you involve in your business effect your customers data. For example if you use Mailchimp for newsletters, it means they have access to your customer data as well.
You’re accountable for the data you hold so keep it safe and secure. Any paper files need to be locked away and any data stored on hardware (laptops, phones, USBs etc) should be password protected.
Still confused?
Don’t worry, you’re not alone. As it stands, GDPR is still a mine field! There’s a lot of new legislation and it’s going to take time to truly understand and implement. There’s also lots of help available to become GDPR compliant. I highly recommend Angie Brown’s services: http://angiepa.com/business-pa-services/gdpr/
Here’s why you shouldn’t panic
The GDPR has been put in place to catch spammers, stop underhand marketing tactics, prevent data leaks and make business owners more accountable for the data they hold. Let’s be real: the likelihood of someone reporting you to the ICO is very minimal.
You do not have to have everything ready by the 25th and as long as you can prove to the ICO your plans to implement GDPR are in place you’ll be fine.
Here are some useful links from the ICO to help you get ready:
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Now if you don’t mind I have a data audit and cookie policy to write! Mmmm cookies…