GDPR (General Data Protection Regulations)… you’ll have seen this word swirling around in the internet-ether lately and might even be slightly panicked that you should know more about it. Certainly a quick flick through my spam box asks me:
“Are you GDPR compliant?”
“Is your customer database ready for GDPR?”
But what is GDPR?
Should you be paying attention to GDPR if you only market to your own clients? YES!
At its heart, GDPR is bringing European law in line with the USA’s CAN-SPAM Act of 2003 which is far tighter legislation than our own existing Data Protection Act. It’s about people only receiving marketing that they asked for and being able to easily unsubscribe from marketing communications when they no longer want to receive them. So it’s a good thing: Less annoying “have you claimed PPI?” phonecalls for a start!
However, in tightening the legislation surrounding the handling of data, it will have a knock on effect for small businesses and how they market themselves.
Who controls GDPR?
- How did people sign up to receive your marketing? It cannot be a pre-ticked box or assumed consent because they bought something from you. People need to have actively subscribed and know they are receiving marketing communications from you – euphemisms such as “newsletter” or “information” should not be used on the sign up box! If you have a list which has these types of sign ups on there, you need to resubscribe them before 18 May 2018 using the correct protocol.
- Do you have proof of the sign ups? For example, does your email marketing software require users to “double opt in” by filling in their email address and then clicking on a link within a confirmation email or do you have a copy of the sign up sheet they used to subscribe at a trade event? If not, again resubscribing people via a compliant form before 18 May 2018 will be the best way of cleansing your list.
- Is there an easy unsubscribe? To comply with the GDPR legislation, there must be a link telling them who will own the data, and how to unsubscribe from it on every communication. Make sure your email address and mailing address is on each communication.
- Who is responsible for the data? You must tell people who is responsible for the data you hold and process – this person must be registered with ICO as a registered Data Controller. Additionally data processors (in other words anyone dealing with the data) also have direct obligations to process data correctly – you cannot outsource this responsibility and neither can they say they were completing arms-length transactions, if you are processing data, you are both responsible. NB: Virtually Sorted has been a Registered Data Controller with ICO since 2005 and always checks that our clients are following best practice.
- What data is held? The GDPR places a duty on the Data Controller to only hold relevant personal data – in other words, if something is no longer needed, it should be destroyed in order to minimise the risk. Got old client files lurking? Time to clear them out! The ICO’s definition of “personal data” is any data which identifies an individual or presents a security risk. The GDPR legislation specifically requires that any information held regarding children under 13 have additional parental permission before being stored.
- Where is your data held? The exact wording on this is very vague, but on asking for further clarification from the ICO, they have confirmed that whilst it is preferable that all data is held within the EU, organisations can use non-EU data storage as long as you undertake a “suitable risk assessment”. If there is a complaint, you will be asked to produce evidence of the risk assessment you undertook before storing the data. So it’s a good idea to look at where your data is stored and to ask for clarification on the security which it is held under. This isn’t merely for your marketing lists, but also for personal data like client billing details (i.e. your accounts programme), back up storage, online work spaces, password logs, social media logins etc.
- What is your procedure for reporting data breaches? Should you (or one of your suppliers/data processors) have a data breach where “a personal data breach is likely to result in a risk to people’s rights and freedoms” you must report it to the ICO and the people affected by the data breach as soon as possible or within 72 hours of becoming aware of the breach.
- How large is your organisation? If over 250 employees, you will have to nominate a Data Protection Officer who is responsible for overseeing the Data Controllers and processing of any data within the organisation.
Still confused? Take ICO’s GDPR self assessment quiz