SHOULD I WORRY ABOUT GDPR?
The answer to the above question is 'no'. Should you be compliant with GDPR, the answer is 'yes'.
As a business chances are you hold personal information about people in the day to day running of your business, as well as information about prospective clients or customers.
As well as ‘holding’ personal information, the GDPR also refers to the collecting of information, for example when someone visits your website and their visit is tracked by ‘cookies’ running behind the scenes such as Google Analytics (more about Google Analytics in another article). Even if the visitor to your site is not identifiable as a named person, they still have to be offered a choice as to whether their visit is ‘tracked’. This tracking includes information such as which pages they viewed, for how long etc. as well as other details about them such as their whereabouts geographically.
There are companies which collected personal information about individuals for the sole reason for selling on – this is now not allowed under the new EU Regulations. Following on from this you cannot now purchase or sell lists of personal details of individuals in the EU.
What is the GDPR?
The General Date Protection Regulation was set up by the European Union to protect personal data consistently across EU countries. It came in to effect on May 25th 2018. Being a ‘Regulation’ this means it forces all members of the EU to legally comply. It effects the way the personal information about individuals, whom are in the EU, are treated. This means businesses based outside of the EU need to comply when dealing with people inside the EU. A dedicated data protection officer (DPO) is required for larger organisations and those that hold sensitive information.
If organisations do not comply the fines are very high, up to 20 million Euros or 4% of global turnover, so business need to take this regulation very seriously. There is also the potential loss of trust which could damage business via the relationship with its customers.
According to the Information Commissioner’s Office (1.) the GDPR is based on 7 key principles:
1. Lawfulness, fairness and transparency – this refers to how the information is processes. Transparent refers the individuals whose data it is being able to easily find out about what is held about them.
2. Purpose limitation – the use of the data should be limited to uses that are specified, explicit and legitimate.
3. Data minimisation – more details than required should not be held, i.e information is is not relevant to your business relationship should not be recorded.
4. Accuracy – where necessary, data should to be kept up to date.
5. Storage limitation – once the purpose of storing someones data has ceased it shall not be kept unless it is going to be archived for special purposes.
6. Integrity and confidentiality (security) – appropriate steps should be taken against accidentally losing data and preventing unlawful use.
7. Accountability – this refers to the controller of the data being responsible for complying and be able to demonstrate how you comply with the other principles. This should be reviewed regularly and if data is breached, the individuals need to be informed within ‘good’ time.
As time goes on the GDPR will be shaped by case law, setting precedence with outcomes, determining how cases that come after will be decided.
Why has the GDPR been created?
The GDPR was created to increase rights of the individual over their personal data. With technology making it easy to store, process and analyse data the GDPR sets out how it should be used fairly and gives the owner of that date rights over where and how it is used.
What do I need to do to comply?
On a practical day to day level following the 6 principle means you should do the following as a small or medium sized business.
You can carry out your own audit to assess and prove the 7 key principles have been applied in a document. Document what the data is held for, consider why you need certain data. For example why i.e do you need someones date of birth? Document where the date came from in the first place.
Make it clear and easy for data subjects to understand why and how you have their data, and details of whom they need to contact in the business about their data so they so it can be amended or removed at their request.
Many business use third party software tools which hold the date on your behalf, such as email marketing applications such as MailChimp or CRM tools such as Hubspot.
It is expected now that all websites should have a SSL certificate, that is, the ‘s’ displayed after the http in the website address (URL). SSL is the commonly used term for Transport Layer Security (SSL (Secure Socket Layer) is now old technology, but the name has stuck) which certifies ownership and secures the transfer of data by using encryption.
What about Business-to-Business Marketing?
Whenever ‘personal date’ is processed the GDPR applies, even if that person is acting in a professional capacity within a business.
Will the GDPR change when the UK leaves the EU?
Specific to the UK the Data Protection Act 2018 came into force at the same time the GDPR, this Act modernises the Date Protection Act 1998 and incorporates much of the GDPR. As the law evolves things may change but for the foreseeable future leaving the EU won’t change how we should deal with these date protection regulations.
If you do business with the EU you will definitely need to comply as the law covers those within the European Union.
We are not legal experts and cannot advise on detailed matters, however we can certainly help small and medium sized businesses comply with day to day compliance. We can assess your current data processes, identify risks and help find solutions.
For example we can help you manage and maintain you contacts list to comply through software and automation processes. If you have a list of subscribers to a newsletter they need to be able to opt out, and have their details removed completely if they wish.
When you do record information from new clients or customers this needs to be stored and maintained in a way that complies with the GDPR. We can help set up systems so registered customers can update their information and preferences themselves. This could also be combined with setting up an easy to manage email marketing workflow making you content engaging and relevant to those people who are interested in what it is your provide.
It is good practice to show, you have made efforts to understand the GDPR and comply. This could be written out in a document for internal use and can be shown, should you be asked, in the case of investigation for breaches of GDPR as part of the regulation is to ‘show’ that you are making efforts to understand and comply.
If you want to know more you can visit the Information Commissioner’s Office website for up to date information.
(1.) Information Commissioner’s Office https://ico.org.uk/
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner’s Office (ICO) is the definitive website to visit for information on the GDPR and Date Protection in general
Thegdprguy.com Carl Gotlib – Clear and easy to digest the GDPR Guy, Carl Gotlib has a website and podcast that will help you understand the GDPR in more detail.