It feels like everybody is talking about GDPR, specifically in digital business. You’ll have heard those four letters a lot, but what do they actually mean? GDPR is a new regulation coming into effect very soon, that will deal with the ways in which businesses and organisations handle your personal information.
But how is GDPR going to affect you specifically? Whether you’re a small business owner, or manage a large organisation, it’s very important you check up on these new rules, as you could find yourself in a spot of trouble. Chances are you might already be fully compliant without realising it, but it’s better to be safe than sorry.
Everyone is asking the same questions – what is it? What do I have to do? What happens if I don’t follow the new rules?
As such, we’ve compiled a list of frequently asked questions, and have explained everything you should need to know.
- What is GDPR
- When does GDPR come into place?
- What are my main responsibilities under the GDPR?
- What are the GDPR requirements?
- I have an existing email list – how do I make sure this is compliant?
- I send emails to my customers once a month – what do I need to do?
- What does the newsletter sign-up form on my website need to say?
- What constitutes personal data?
- What will happen if I don’t comply with GDPR?
- What are the GDPR breach (non-compliance) penalties?
- How can I prepare my business for GDPR?
- How does my business benefit by complying with GDPR?
- What individual rights does GDPR provide the public?
- Who within my company is responsible for compliance?
- What is a Data Protection Officer and does my business need one?
- I’m only a small business, do I need to worry about GDPR?
Brexit & Further Reading
- GDPR is an EU Law – with Brexit on the way, does it apply to the UK?
- Where can I find good further reading on GDPR?
GDPR stands for the General Data Protection Regulation, a new EU law that was approved in April 2016. It’s the result of four years of plans to improve data protection for the 21st century, and aims to give individuals more control over how their personal information is used by organisations.
GDPR came into place on 24th May 2016 after EU members agreed to the key details. However, businesses and organisations aren’t affected by the legislation until 25th May 2018, after which point everyone in all EU member states must be fully compliant.
In summary, your main responsibilities as a controller and processor of personal data are:
- Ensure that all data is processed in a lawful and transparent manner
- Collect data only for specific, explicit purposes
- Maintain an accurate collection of up to date data
- Hold data for the necessary time needed, and no longer
- Use secure data processing methods
This is a summary of GDPR Article 5.
The precise rules of GDPR are very complex, but here are the general requirements broken down simply:
- Have all information documented about the personal data you hold, how you gained it, and who has access to it/who it is shared with. Keep full records of your information processing activities
- Ensure your procedures are all within the rights of individuals. Procedures such as the deletion of personal data, and the provision of personal data digitally in a common format should be looked into
- Ensure your procedures around subject access requests are compliant – if someone requests access to personal information, it must be handled within a month, with no charge (unless it’s an excessive, unfounded request), and if refused, an explanation should be given
- Document your lawful basis for gaining personal data within GDPR, and include this in your privacy notice
- Check that your procedure for requesting, recording, and managing consent to use personal data is fully compliant with the new GDPR guidelines
- Make sure you have procedures in place to detect, report and investigate a breach of personal data
- Designate someone within your organisation to take responsibility for data protection compliance
Email lists are all about permission.
You need to ensure that you have received clear consent from all existing customers ,and that you are using their data only for the purposes you have described. If this isn’t the case then you must delete the data. Similarly, delete all information which is not required for the purposes of permission you were given.
You must be able to show, upon demand, how you have received clear consent from the customers you are sending email marketing to.
If any of the above is a worry then you must reach out to these customers to obtain their permission once again. A thorough campaign to have your existing email list re opt-in to your service, with a log of the processes used, will stand you in good stead for the future. Remember to only send opt-in information to those who have given their consent in the first place.
Make absolutely certain that you are holding and processing personal data securely.
As GDPR steals the limelight at this very hour, it’s time for every email marketer to become GDPR-savvy. Read on to learn the dos and don’ts of GDPR-friendly email marketing – https://t.co/1toDf3iQsl #emailmarketing #zohocampaigns #gdpr #permissionbasedmarketing #gdpremails pic.twitter.com/hgxPgBgiTb
— Zoho (@zoho) April 26, 2018
GDPR isn’t out to make things difficult for people – it’s designed to protect data and stop organisations misusing the information of its individuals. If you’ve been doing things correctly and by the book, chances are you won’t have to do much.
Within email marketing, GDPR brings in three new practices:
- How users opt in to email communication is changing. Previous methods aren’t solid enough, which means “soft” opt-ins are no longer allowed. Instead, to cover all bases, it’s recommended by many email marketing experts that you use a “double opt-in” method, such as asking individuals to confirm their email address before they are added to the mailing list. Mailchimp offer GDPR friendly tools to assist you with the process
- Perform an audit of your database to ensure you know where the information of your users is stored, and you have details of how they consented to the communication.
- Ensure there is a clear way of unsubscribing from your mailing list on every communication you send to it. This should be in the form of a simple link that will instantly remove the user from the list.
For a more detailed look at GDPR & email marketing, click here.
In order to make sure your newsletter sign-up forms are compliant with GDPR, you must make the following changes…
- Active Opt-In: Users will have to actively opt-in to receive communications or subscribe to newsletters, meaning that any tick boxes regarding contact preferences can no longer be pre-ticked, and must be left blank or “no” as default.
- Unbundled Opt-In: Contact preferences/subscribe opt-in boxes must now be completely separate from acceptance of terms and conditions.
- Granular Opt-In: You need to give users the option to tailor their contact preferences – i.e. by providing separate tick boxes for Post, Email & Telephone communication, and a separate tick-box to agree to having personal data shared with third-party companies.
- Easy to Withdraw Permission or Opt-Out: Users must always have the right to opt-out of communication, and it is recommended that they have the ability to easily withdraw from selective topics, if they don’t want to opt-out altogether.
- Naming Third Parties: When asking users to share their data with third parties, each party must be clearly named and an individual tick-box for each.
Personal data can be any piece of information related to a person, such as names, contact details (email, address, phone number, etc), bank details, photos, IP addresses and more.
GDPR also concerns information such as biometric data, ethnic origin, race, religion, etc.
As well as individuals who have been affected by your non-compliance being able to take legal action against you to claim compensation, you could be hit by a GDPR penalty.
With the new regulatory change, also comes a new fine regime. There are different penalties for non-compliance, depending on the severity of the breach.
The maximum fine for the most serious infringements (having insufficient customer consent for processing data, or huge security breaches where inadequate protective measures were found, for example) is up to 4% of the company’s global turnover, or €20 million, whichever turns out to be the highest.
For other, less serious breaches (such as inadequate record keeping), companies can be fined up to 2% of their global turnover, or €10 million.
It’s important to ensure that your business is GDPR compliant well ahead of the deadline date, and you may need some time to put some new procedures in place to make this happen. Here are some things to consider…
- Inform your employees: It’s crucial that all staff within the company, particularly key employees involved in decision making, are aware of what’s changing and what their responsibilities in the process are. Make sure that everyone knows what they need to do and when, to avoid any disruptions or delays.
- Revise what data you’re collecting: Find out what personal data you’ve been holding, and what you’re using it for. The law is cracking down on unnecessary data collection, so it’s important that you’re only collecting and using the information you need.
- Check your security breach prevention procedures: Ensure that you have adequate data protection measures in place, in order to be able to detect, respond and report any breaches in accordance with the regulation. Failure to have the appropriate measures in place could incur a penalty in the event of a breach.
- Inspect your consent procedure and privacy notices: You might need to update the way you collect, record and manage data consent if they aren’t already compliant with GDPR.
Aside from the fact that you will be abiding by new law regulations, GDPR can actually bring many benefits to your business, including:
- Improved reputation: Data breaches are happening more than ever, and with the risk of attack being so high, being GDPR certified gives your business an added security factor and will inevitably boost your reputation.
- Increase in data quality: New regulations require data controllers to amend any errors that they are made aware of in data stored within a company’s database. Individuals can access and inspect their personal data, and have any necessary changes made to it, therefore improving the accuracy levels of stored information.
- Gain valuable insights: Companies are now required to properly process and store personal data, and make decisions about how to use it. By having an organised collection of personal information, it allows companies to get to know their customers more, and provides valuable data that can be used in marketing and sales campaigns.
Under GDPR, all individuals have the right:
- To be informed. This means individuals have the right to be informed about the collection and application of their personal data. You must provide individuals with information that explains the purpose for your data collection.
- Of access. This means individuals have the right to access their personal data, and to be aware of how their data is processed.
- To rectification. This gives individuals the right to rectify any inaccurate personal data.
- To erasure. This gives individuals the right to have their personal data erased, and must be given a clear process on how to do so. This is also referred to as the right to be forgotten.
There are also rights concerning data processing, portability and profiling. You can read more about these here.
Unless you have a designated member of staff, ensuring your business adheres to the main responsibilities of GDPR falls largely down to yourself as a small business owner. This can be quite daunting, and it is why some business owners have chosen to hire Data Protection Officers to oversee a short term audit of their data handling processes.
Data Protection Officers are responsible for informing employees of their compliance obligations. Essentially, they are employed to monitor any activity within the business that concerns the use or handling of data. This includes organising training for employees.
Data Protection Officers are advised for medium to large scale businesses that handle large amounts of personal data.
No matter the business size or sector, if the organisation is handling personal data then it is critical that GDPR is taken as seriously as possible. A well considered information handling process will reflect extremely well on any business.
Are you a #smallbusinessowner Are you ready for the GDPR? On the 25th May 2018 the General Data Protection Regulation comes in to force, but what does this mean for #Smallbusinesses https://t.co/qDwP8TWX4x
— Morgan Richardson (@MRL_Insurance) April 26, 2018
The Information Commissioner’s Office (ICO) has compiled a helpful Data Protection Self Assessment, and they note that this has been put together in the interest of small organisations that wish to analyse their own situation.
Brexit & Further Reading
Even though the UK plans to leave the EU, all businesses here will still need to comply with GDPR. One of the many reasons is because of the crossover period between GDPR being announced, and the UK announcing its intentions to leave.
Plus, plenty of British companies will continue to do business with the EU after Brexit. They will need to comply with the regulations if they wish to do so.
Not found what you need from our FAQ? Don’t worry. The GDPR Information Portal has been produced to help educate the public in time for the May 25th 2018 enforcement date.
The Information Commissioner’s Office (ICO) have produced a PDF manual entitled Twelve Steps To Take Now. It provides a checklist of actions you can take to prepare your business.
Our friends at Digitl produced a highly informative webinar with Steve Kuncewicz, and this details how GDPR will impact the eCommerce landscape.