Unless you have been living under a rock over the last 6 months most business owners have at least heard of the new EU data protection regulation. We have actually had 2 years to prepare. The deadline to comply is fast approaching, at time of writing, we have just over a month until May 25th. Many are still confused about what they need to do or see it as a new barrier to effectively running their business.
At its core, the new legislation is about ensuring we respected the personal data that our clients and customers entrust to us. As a consumer, I like to think that I won’t be spammed with unwanted marketing and adverts. I want to be sure my data is kept secure and not handed over to third parties without my permission or knowledge.
As a business owner, I need to able to run my business effectively and efficiently in what is always a challenging and competitive marketplace. Sometimes it feels that the needs of the business and the consumer are in constant conflict as rights and regulations evolve.
I don’t believe it has to be that way. Being transparent and open can be a strong marketing tool. As consumers get savvier in protecting their personal data, businesses that are transparent and treat their customers with respect will gain more customers than those who try to skirt the letter of the law.
How does GDPR define personal data?
According to Article 4 “’personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’) …”
This can include name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.
So what is GDPR?
As always when I discuss this area I will emphasis I am not a legal expert and if you are unsure getting legal advice is always a good idea.
This first thing to note is this is a regulation, not a directive, which means you are lawfully required to put it into practice for your business if you deal with personal data for those who reside within the EU
GDPR is based on six main principals.
- Lawfulness, fairness and transparency
- Purpose limitations
- Data minimisation
- Accuracy
- Storage limitations
- Integrity and confidentiality
Fundamentally you are ensuring:
- You have permission to hold any personal data.
- You have lawful justification for storing or processing the personal data
- You have gained and recorded specific consent for its use.
- You ensure the data is stored securely and with confidentiality.
- You are transparent about how it is used and where it is processed.
- You have a process to delete it when requested to do so.
For more detail check out the Information Commissioners Office website
What does your business need to do to comply with GDPR?
As always there is some discussion on what you need to do. Every business is different, and a lot will depend on what process you use and the type of data you collect.
- Do an audit of what personal data you collect, where you store, why you are storing it and what specific consent you have recorded for its use.
- Update your privacy policy to explicitly cover what data is collected, how it is used and how to contact you if there is a complaint. Be sure links to it are clear and prominent. Don’t just hide your privacy policy in the footer.
- Check the security of the personal data you store. This can be on your website, third-party systems or as simple as locking away any paper-based material in a filing cabinet.
- Data transfer outside the EU – If you use a third-party application such as MailChimp, Eventbrite or even your accounting software be sure you know where they are storing any personal data and whether they are meeting the requirements for GDPR. This is particularly important for those companies outside the EU. For companies based in the US be sure they have signed up for the EU US ePrivacy Shield. Be aware that the European Commission only recognises some countries as having sufficient protection.
According to the European Commission website:“The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.Adequacy talks are ongoing with Japan and South Korea.” - Update forms to make it clear what information is collected and why. Adding links to your privacy policy at the point this data is collected is a great way of ensuring your clients are making informed consent when they entrust their personal data to your business. It is no longer enough to have a Privacy policy in the footer need to make it obvious at the point the data is collected.
- Ensure you record explicit consent for the specific use of personal data e.g. if you want to add them to a newsletter make sure you have this as a separate tick box from just your standard terms and conditions.
- Ensure you have GDPR compliant contracts with those companies that process any data on your behalf or get a signed Data Protection Addendum. For examples you can find Mailchimps addendum here and one for Cloudflare here. Of course read carefully and where possible get legal advice before signing anything new.
All this will take time to complete and the likelihood of legal action is still unknown. The biggest fines are, I suspect, reserved for those who are actively and purposefully misusing personal data. That said, businesses that ignore GDPR will find themselves under closer scrutiny from more savvy consumers looking for a transparent and trustworthy service.
Useful articles and resources
European Commision Infographic for GDPR
This infographic gives a quick and easy to understand overview to get you started.
Information Commissioner’s Office guide to GDPR
It is worth reading through the information on the ICO website to be sure you understand the regulation in more detail.
In particular, read the 12 steps to take now document
Hallam Internet article on making your website compliant
GDPR: How to create best practice privacy notices (with examples)
Top 10 operational impacts of the GDPR: Part 4 – Cross-border data transfers
A useful article if you store personal data on services outside the EU
GDPR For Online Entrepreneurs (UK, US, CN, AU) Facebook group
Joining this Facebook group gives you access to some useful discussion and training videos.