The deadline for complying with the new General Data Protection Regulations (GDPR) passed on 25 May 2018
GDPR is the biggest change in EU data privacy law in 20 years. It applies to anyone holding the personal data of people based in the EU.
If you’ve struggled to make sense of the new data protection regulations or simply haven’t had the time, you are not alone – In the UK, 5.7 million smaller businesses are unlikely to be compliant.
However, you would be wise not to ignore the new regulations. Firms could be fined up to €20m (£17.5m) or 4% of global annual turnover for serious breaches.
Here are some simple tips to help you get your own organisation GDPR compliant fast.
What is ‘Personal’ data?
Personal data includes someone’s name, address or date of birth.
It can also include who a person works for, what they do for a living, in fact, anything that can be used to identify them as an individual.
Didn’t get opt-in? You may not need it!
Other than ‘consent’ (opt-in), there are five other lawful bases on which you can store and use someone’s personal data.
Opt-in is not necessary if you have an ongoing relationship with an individual or company, and have good reason to hold their contact details to run your business. For example, they are a:
- Regular Supplier – someone who supplies your business with goods or services
- Customer – an individual who buys your goods and services regularly
- Business contact - someone you need to be in touch with to carry out your business, for example, your bank, landlord, legal advisors, etc.
- A staff member or a volunteer
The key thing here is that you can prove that:
- Your business relationship with these people is current,
- You can justify why you are keeping their personal data, and
- You delete any out-of-date information.
So, a spring clean of your existing contacts database and deleting outdated contacts may be all that is needed.
Did you already have opt-in?
It seems like everyone has been sending out GDPR emails lately. However, don’t assume they were all necessary.
Many companies have been taking a ‘belt and braces’ approach and starting mailing list opt-ins from scratch.
But if you have already obtained and documented consent for your mailings, there is no need for you to obtain opt-in all over again.
My contacts list is such a mess!
The process of working towards GDPR compliance may have made you realise just how disorganised your personal data records have become.
If you’re struggling to work out what to do to make your business GDPR compliant, work through the checklist below.
Work through the DESCALE process to make your business’ personal data records clean, shiny and GDPR compliant!
To be GDPR compliant, the personal data in your contacts databases needs to be:
Write down what personal information you hold and where it is stored.
Document the legal basis (i.e. reason) on which you are storing this information.
Where consent has been obtained to store this information, document how it was obtained.
Ensure that all the personal data you hold is stored securely.
If you have paper records they need to be locked away safely. Out-of-date records should be shredded.
If you have personal data stored digitally, make sure its encrypted and password protected.
LocCroc is a great tool for encrypting data, because it allows you to encrypt and hide just parts of an Excel spreadsheet. So, if the personal data you hold is in Excel, you can manage how much of the spreadsheet each member of staff can see
Some staff may only have access to a customer’s name and phone number, whereas others could view more detailed information about the customer.
Similarly, you could also use LocCroc to store the passwords to individual contact lists. Excel could be used to hold all the information about your contact lists – where they’re held, the legal justification for holding them, the passwords for access – but the passwords section of the spreadsheet could be encrypted so that only a limited number of staff could view it.
Is the information you hold is up-to-date? When your next newsletter goes out, why not ask people to update their contact details? Then set a reminder to do this every year.
Delete any personal data which is no longer being used.
Make a plan for how long you are going to keep personal data records, within a reasonable time-frame.
If asked, you need to be able to share the personal data you hold with the person it belongs to. Check you have a quick and simple way to do this.
Allow people to have control over how their personal data is used. For example, if they are a customer they will expect to be contacted about the product they have purchased, but they may prefer not to receive regular promotional mailings.
If you hold contact lists locally, it might be worth moving them across to an online CRM (Customer Relationship Management) system, That way, you can enable people to keep their own records up-to-date and change their own mailing preferences.
But tidy it up first!
Under the new General Data Protection Regulations, there are six legal bases on which you can store and use someone’s personal data.
Can you legally justify holding the personal data you are holding? For each contact list (or for each segment of your main database) write down the justification. For example:
- Newsletter mailing list – legal justification: individuals have opted in.
- Customer contact list – legal justification: so we can make deliveries and invoice the customer.
Make sure, there is an easy way for people to opt-out of your mailings and/or have their contact details completely removed from your database.
We failed to send a GDPR opt-in mailing
To be compliant with GDPR you will need to take the plunge and delete any personal data you cannot legally justify holding. See above for details of the personal data you are allowed to keep.
Don’t worry. There are plenty of other ways to engage with people and win them back.
From now on, take every opportunity to encourage people to sign up to your mailing list. A simple link to somewhere they can sign up will work best.
Here are some ideas:
- Social media posts
- Email footer
- Bills, invoices and receipts
- Sign-up sheet at events
- Promotional materials
GDPR has made my mailing list so small!
If your GDPR emails didn’t get the response you’d hoped for, and only a small number of people have opted-in to your mailing list, all is not lost.
You now have quality over quantity
Think about how much you were spending on postage, or for credits for your online mailing service – this reduction will save you money.
Now you have a leaner, fitter mailing list, full of individuals who care enough about your business to have recently opted-in to receive your mailings.
They’re an engaged audience, prime prospects, keen to hear what you have to say. Your open-rates and click-rates are sure to shoot up.
The information in this blog is for general guidance on GDPR and is not legal advice. If you need more detailed guidance on how to comply with the new GDPR regulations, visit the Information Commissioner’s Office website