As GDPR deadline looms closer (May 25th) there’s been ever increasing advice and alarming stories of what needs to be done. I too have been keeping a keen eye on what’s required as being in the industry of digital marketing I feel it’s my job to make sure me and my clients stay out of jail.
GDPR stands for General Data Protection Regulation and it enhances the current data protection laws.
I’ve seen is lot of advice that’s just unnecessary, and if you’re following best practice there’s not too much different you need to do anyway.
I attended a GDPR workshop for small business owners at the end of last year hosted by Small Business Saturday and we had at our disposal, a panel consisting of a privacy law expert, someone high up in Dropbox and a chap from FSB who were all part of the consultative process shaping the GDPR. Some proper experts who had hands on knowledge about the implications for us small business owners.
Key Thing I learnt about GDPR
One of the key things I came away with was the GDPR law is there to protect individual’s rights about how their data is handled. In other words, treat the data of others how you would like your own personal data treated – with respect and responsibility. Whilst originally, it’s the big companies abusing people’s privacy that GDPR was aimed at, it affects all of us, regardless of what size your organisation is. Even if your small business is just you and only handles people’s names and emails. If you process them somehow (e.g. store them, put them in your CRM or mail list) you are affected.
They are there to help
The other thing I came away with was that you won’t get fined for non-compliance out of the blue. There’s a whole consultation process where they try to find out what you might be doing (wrong), set you straight and as long as you respond and show that you’re doing your best to comply, it’s unlikely that you’d be fined the hefty fines they have power to levy. They are there to help! So really, all we need to do is reduce the risk of being investigated in the first place.
Dropbox have produced an 8 step guide to help you get ready – https://www.dropbox.com/security/GDPR
What I’m doing about GDPR
Based on Dropbox’s helpful checklist here’s what I’m doing (and not doing).
1. Understanding my data
The data I have and collect is contact information that I’ve gathered either through networking meetings (formal and informal), online social media networking and through people signing up to receive guides or newsletters through my various websites and online presence. I collect names and emails and they get stored in my CRM system. If someone turns into a prospect, then I’ll also store phone numbers and some details relating to what I might help them with. When they turn into a client then I’ll collect even more data, some of it confidential and personal that I need in order to perform whatever services I’ve agreed with them. I do also have some paper records for clients and prospects because it’s easier to handle a bit of paper than faff around trying to find it on my computer.
2. Determining Ownership and Accountability
Easy. That’ll be me, as there’s just me in my business. This means it’s up to me to adopt a data protection compliance program (I love a good procedure!) and if I engage anyone to work in my team (virtually or in person), then I’ll need to provide them with training on how to handle the data correctly. If I had staff (which I don’t) then I’d also need to consider creating an internal data protection policy to protect the data of my employees. Phew – one less thing to worry about for now.
3. Ensuring a legal basis for processing
It’s now a good time to actually document how I obtain and process the different types of data. Nowadays, the only data (that’s not a client) I collect and process is people who’ve signed up to something on my website or people who I’ve met and followed up with.
I’ve seen well-meaning advice being bandied about that you need to get your existing list to double opt in (every year!). I asked the legal lady at the workshop her view on that
Let’s face it, most open rates are anything from 10-30% and the click through even less. Anyone doing this would lose 70-90% of their list in one swoop!
On the one hand it might be a good idea to audit the list and remove anyone who is inactive but since I communicate regularly with my list and there’s always been an unsubscribe link with every communication, I don’t need or intend to do this.
If you were communicating irregularly with your list, then it might be something to consider doing.
The GDPR requires us to clearly demonstrated how and when consent was given.
My Constant Contact account logs when and how people signed up. There’s a notes section so I could manually copy and paste in the text from an email or just note/log in the notes how I got their permission if I was manually adding them. Being given a business card does not prove consent to be added to a mailing list.
What I don’t do is automatically add people I’ve met to my email newsletter list without asking first. That’s been my best practice for quite a few years now. If I did that, then I’d be in trouble with my Email Marketing Tool (Constant Contact) as the condition of adding people to it (and most, if not all Email Marketing tools like Mailchimp, Drip etc) is that you have permission. It’s not good practice to just add people to your mailing list (I wrote a blog article about adding network contacts to your list).
4. Understanding the rights of data subjects
Data subjects (the people you hold records of) will have the right to access their personal data, have it corrected or erased (forgotten). Now this could be a tricky one. At the moment anyone on my list can see their email preferences and amend them. If they unsubscribe, the system won’t allow me to send any further emails to them.
However, their details are still held by the email marketing system and I still have access to their details. That’s so they don’t inadvertently get added again if I was to, for example, import a list where they were still on it. So, I think I’m covered on that, because although at the moment the software doesn’t let me completely ‘forget’ them, I still need to know that they should be forgotten.
5. Ensuring Privacy by Design
‘Privacy by design’ is to become an explicit legal requirement and so I need to begin considering how to build it into my business processes. Since the only place I store any personal information is in off-the-shelf online systems, I’m relying on them doing the necessary secure and encrypted techno stuff – but I can’t remain head in the sand on this – see point 8.
If I was a masseur or beautician and I kept paper records of clients treatments and personal conditions, then I’d want to make sure that that data was kept secure – for instance I would make sure their cards where I write their treatments was kept in a locked/secure cupboard.
But I’ve not forgotten the paper records I do have of clients. I’m going to go through it and shred any documents I don’t need and what’s left will go back in the lockable cabinet (which must be locked!).
6. Preparing for breach management
This is quite an onerous one. If my data was breached, I need to contact the correct authorities in a timely manner. How would my data be breached? If I was robbed or had my laptop, tablet or phone stolen or lost is the most obvious. If I was hacked or left my devices unlocked in public places might be another way my data could be breached. Or if someone broke into my home office. Which is why that cabinet needs to be locked.
7. Communicating Essential Information
8. Working with Providers
This one is also important as if one of your suppliers (who handles your data) has a security breach that affects you, then you’re both liable. The recommendation is that you check with all your suppliers that they need the necessary standards for data protection.
I’m not going to worry too much about this one. I use well-known companies like Constant Contact, Dropbox, Xero and they would have to makes themselves compliant to stay in business or customers will drop them.
There was some well-intentioned misinformation that said we could no longer use companies that had their servers outside the EU, so we’d have to move. This thankfully is no longer the case. Companies outside the EU (for example US and Canada) sign up to what’s called the Privacy Shield and that basically declares that they are compliant with equivalent privacy and security standards. So, I won’t be moving my current non-EU services from where they are at the moment.
So there you go, a quick run down of how I’m preparing for GDPR compliance. Have you thought about it too? Let me know in the comments.
I’m not a legal expert and not proclaiming any advice or information in this article to be what is suitable for you and your business. It’s up to you to do your own research and take legal advice. I’m merely giving you an insight to how I will tackle GDPR compliance in my business.
You can access full details of the GDPR from the ICO website.