Its 4 letters that have started to put the fear of life in business owners, and with its implementation in May not too far away many business owners are stressing over whether they are compliant or not.
GDPR is all about being upfront, honest and very clear in what you do – which as business owners we should be anyway. The biggest change that has affected me and my clients is that of email marketing and data handling, something very simple to become compliant in. So here are my top tips to becoming GDPR Compliant based upon research, and multiple seminars.
So what do they mean when they say Data?
They mean any data you hold on your PC, mobile, latop etc Data includes details such as name, address, contact number and email. The usual details you need t conduct business.
There is a secondary level of data which is classed as sensitive data and must be treated even more delicately. Data that falls under this category is things such as medical information, religious information and financial information. It is best to get a compliant officer/lawyer to help you understand how to handle this data.
So now we know what Data is, what’s next?
You also need to make sure you have explicit consent to hold and process their data.
So I have mentioned Contractual performance, which is quite clear in regards to consent given. But what other forms of consent are there, and how do you prove it?
This is where Email marketing comes in!
Firstly, that list of emails you have for your newsletter – you need to be able to prove you had consent from them all to send the emails you send. The easiest way is double opt-ins for new subscribers. All though not required it does assure you that the person signing up is in complete agreement by completing the secondary sign up step. The data you can download from your email marketing platform will keep a track of when they signed up and when they signed the confirmation email – this is your evidence!
For current subscribers, you can send them an email with a sign up link to a new list asking for confirmation they would like to remain on your mailing list. This is a good time to let them know what do with their data, and the types of emails you will be sending them to make it VERY clear how the data is being processed – as require by GDPR.
If someone contacts you via a contact form, or generally via email you can not just add them to your list! This is not consent. You need to direct them to your sign-up form and get them to sign up themselves.
There is also an issue with freebies – although I do not have all the details – but there is a grey area because people are signing up for the freebie, not to receive marketing emails (although we all expect them). To continue offering a freebie you need to make it VERY clear that not only are they signing up for the freebie but also for the marketing emails – without this you will be in hot water.
Other forms of Consent
If you have employees – then by law you are required to process their data for things such as HMRC. Therefore agreeing to work for you is giving consent for that data to be processed. There are a few legal obligations that also require businesses to process consumer data such as The Enterprise Act 2002.
The final relevant form of Consent is that of Legitimate interest. Now this is a very flexible lawful basis but can not be used as an excuse for every processing task you take part in. According to GDPR you can se this as a lawful basis if –
‘you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR’.
You can hold data for suppliers, and 3rd parties as these details are required in order to provide services to your clients, therefore falls under legitimate interest.
Right to be forgotten
So this another area I know a few fellow business owners are having issues wrapping their heads around. So let’s break it down as simple as possible.
Individuals now have the right to request any data you hold is removed from their databases – every single one of them!
Once an individual has made a request to be forgotten a business has just 1 month to follow through – unless legal obligations require otherwise. And this is where it gets fuzzy for people.
The main reason to not comply is where the data is needed to provide agreed services, and without it the agreed contract cannot be fulfilled. There are also other reasons, the ICO states:
‘The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.’
So for example, take employee records. They are required to be held for a set amount of time, even after the employee leaves, and it is during this time that the data can be held even if the employee requests to have it erased. The reasons being for HMRC record keeping and if required for legal claims – i.e unfair dismissal.
If you have clients who come back say once a year for projects – like branding help – then you can hold their data with the intent that it is kept for future projects. Just make sure you let them know you will hold it for that length of time!
This is a biggie.
The data you do hold, and process needs to be kept secure, preferably encrypted. GDPR requires us to hold the information in a way that prevents unlawful processing, accidental loss, destruction or theft using appropriate technical measures.
If someone gets access to your database then you are required to inform everyone you hold data for ASAP.
Such ways to protect the data is to ensure you have firewalls in place, the data is held on an external hard drive unplugged from your laptop when not in use, or if using a 3rd party to process and hold the data they are complaint with GDPR and under Article 32 of GDPR.
GDPR is not as scary as people first thought and although for some it might mean more paperwork and process changes while they get use to the new requirements, it will soon become easy to comply.
I am still learning, and still finding out all that I can to help people with GDPR. I have compiled the main points I feel are most relevant to sole traders/small businesses but if you have any questions do not hesitate to get in touch and I will go through my research to find the answer for you.