The General Data Protection Regulation (GDPR) is a new regulation aimed at improving the protection of personal information and data privacy of EU citizens. Changes in how data is being used since the last significant EU data regulation, the Data Protection Directive 1995, has resulted in new ethical challenges regarding data protection. In essence, these challenges have been the driving force behind the drafting of the GDPR.
If you have data about your customers stored anywhere, including their email address, phone number, home address or other related information, then have a watch of our video. It explains how best to handle your customer data in order to avoid hefty GDPR fines, which are projected to be anything up to 20 millions Euros!
A summary of GDPR
The GDPR is a huge change in data regulation law that will come into effect from the 25th May 2018. It affects every business that has customers or suppliers within EU member states, introducing tougher fines for non-compliance and breaches. This change in regulation will give people more say over what companies can do with their data, and rules will be more or less identical throughout the EU.
The GDPR is a policy which governs how personal data is stored and used. The reason this policy is being put into place now is because the personal data we can collect and the manner in which it can be used has changed significantly since the UK Data Protection Act of 1998. The public began expressing concern over their loss of control over who kept personal data on them and what it was being used for – this new policy aims to help people regain that control.
As a small business with customers and suppliers within Europe you need to comply with the GDPR regulations, or risk facing a huge fine if you’re found not to be compliant. The GDPR in writing is a tad difficult to follow; however, we’ve researched a lot of the legal jargon, and have compiled some top tips on coping with the upcoming change as a result of this.
10 Steps to avoid GDPR fines
Tip 1: Store Data in an organised fashion
This is important for 2 reasons. If someone were to ask what data you store on them, you can easily access it in response to this. Secondly, if you were ever to be investigated in accordance with the GDPR, you can demonstrate that you’re taking reasonable measures to control the data.
You’ll need to organise any data you’ve collected from customers and suppliers, as well as any past and present employees.
Personal data is any piece of data that, used alone or with other data, could identify a person. This includes:
- names
- addresses
- emails
- bank details
- Photos
- IP addresses
In addition to this, any further sensitive data such as:
- health details
- sexual orientation
- religious views
Tip 2: Encrypt your data (take necessary safety measures).
You’ll need to be able to demonstrate that you are taking necessary safety measures. If your data storage is digital, ask yourself the following questions:
- what safeguards are in place?
- what device(s) is it on?
- Do I have antivirus software?
- Can I remotely wipe the contents if the device is lost?
- Can hard copies be locked away securely?
- Who has access to these?
Fundamentally, it’s about taking reasonable steps to mitigate risks. You should keep recordings of your “risk assessment” and the steps you’re taking.
Tip 3: Don’t hold onto data unnecessarily
You need to be aware of exactly what you’re doing with data you possess, so don’t keep someone’s data because “it might be handy in the future”. If you don’t actively use it now in a recorded way, bin it.
Tip 4: Have a very clear privacy policy
This needs to be a document that someone is aware of when they’re handing over their data. The key here is to write it in a clear and accessible, that anyone could understand. Avoid jargon and explain exactly what you’ll be doing with the data.
When writing a privacy policy keep these questions in mind:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individual(s) concerned?
- Is the intended use likely to cause individuals to object or complain?
Tip 5: Respond to data requests within a month, free of charge
If someone requests to see what type of data has been collected from them, it must be given within one month and free of charge. Again, this is why it’s important to have your data stored in an organised fashion. Ideally, you’ll have a process in place so that if you do need to pull this information, it will be easy for you to do.
Tip 6: Delete any data someone asks you to
If someone asks you to delete the data you’ve collected on them, you are legally obliged to. Again, it’s recommended that you have a process for this, so that if and when someone asks for their data to be deleted, you can do so in an efficiently. Make it easy for you to find individual customers so that you only delete what you need to.
Tip 7: Allow people to “positively opt in” to you storing their data
New regulations mean that someone has to make an action to say you can use their data for marketing reasons (e.g ticking a box, signing, double opting in) as opposed to passively agreeing. For example, in the past, signing up for marketing material often involved a pre-checked box, but you’ll now need to have customers positively opt in to your storage of their data for marketing purposes.
So, no more pre-checked boxes! The customer needs to consciously take this action themselves in order for this collection of data to be GDPR compliant.
One design for opt in forms is to present people with a double opt in. Double opt ins act as an extra layer of confirmation that they do indeed consent to you using their data for the purposes you are intending. An example of this is allowing someone to positively opt in to you using their data, you then send them a confirmation e-mail, and the receiver then clicks a link to verify that they do indeed wish to be part of your mailing list.
Tip 8: Use layered opt in forms
Layered opt in forms provide a link within a data sharing form that allows users to access easy-to-understand information about how and why you use their data. This gives extra information to customers where they can delve more deeply into the specifics of how their data will be used if they would like to know specifically what they’re signing up for.
Tip 9: Have easy unsubscribing options
You should be making it very easy to unsubscribe from any marketing lists. Make sure you provide instructions on how to do so in every email, text, or whichever form of communication you use for marketing purposes. For example, in email correspondence, include how to unsubscribe from those emails at the bottom, clearly. Don’t use small print or obscure these instructions in efforts to keep them subscribed.
If someone requests to be unsubscribed, make sure you unsubscribe them. Have a system in place which makes it easy so you don’t slip up and break regulations by being negligent. You are obliged to do unsubscribe people who have requested it, so make it as easy to do as you can.
Tip 10: Train all your employees on GDPR laws
Inform all your employees that they will need to be compliant from now on. Give them extra training if it’s something they could be more knowledgeable about, it’s better to be safe than sorry in this case! I’d even email reminders to your employees so if you ever are investigated, you can demonstrable evidence of how conscious you’ve been of the new laws.
To be extra safe appoint you -or someone else in your team- as the company Data Protection Officer (DPO), and have this in writing.
This usually only applies to big organisations, but it can’t hurt to email everyone outlining who the DPO is, giving this person the responsibility of checking you’re keeping to all the tips we’ve mentioned, and helping to enforce what you’ve set in place.
Common questions about GDPR explained
There are also some other questions that seem to keep coming up, so let’s go over some of these.
What about buying data such as email lists, is this still GDPR compliant?
In order to keep compliant, you need to ensure that the people whose data was collected have given their express consent that their data may be shared with third parties such as yourself. To put it plainly, the people on that list must have opted in to receive information from third parties.
What about selling the business, can I sell my data to the new owners?
If you wish to do this, you need to have an ‘assignment clause’ in your fair processing notice. This should clearly state that if someone buys your business, this pre-existing data will be owned by the new owner of the business, but only to be used for the same purposes as you have been using it for. You’ll also want to make it clear to the new business owners what you’ve been using the data for, and that if they wish to use it differently, they will have to recontact those whose data was collected and asking them to opt in for this new use.
What about existing data I have, can I keep this after the GDPR comes in?
After May 25th 2018, you need the express consent for individuals for marketing. Your safest bet is to contact those in your existing database now with a simple email stating that as the law is changing, so if anyone would like to continue receiving marketing emails then they will need to opt back in.
How you do the opt in is up to you, you could have a link to the website where they have to tick a box to subscribe or you could ask them to reply to the email with the word ‘YES,’ you just need some way of recording that consent.
We hope you’ve found these tips useful, and it helps you along your journey to becoming a stream-lined, GDPR compliant machine!
Interested in using our services? See what other business owners have said about us.
Digitool is a Marketing Company specialising in online marketing for cleaning businesses. It was founded to help business owners like you win more work, earn more money and save you time. get in touch with us to find out how we can help boost your profits.