The General Data Protection Regulation (GDPR) enforcement date is almost upon us and everyone seems to be in a panic over it!
No, Brexit won’t make any difference to whether you have to comply or not and yes after the 25th May, 2018 you may face fines of up to 4% of your annual turnover.
However, it’s not as apocalyptic as everyone is making out. In fact, many of you are already doing most of the things you need to do to be compliant – phew!
So, let’s get down to it…
What is GDPR?
The General Data Protection Regulation will introduce a seismic shift in the way any company with clients or workers in the EU collects, stores, manages and uses personal data.
It will give individuals real choice and control over how their personal data is used.
It gives people the right to know how their data is used, who it will be shared with – they have the right to see it, complain about it and get it removed. It gives people the right to consent or refuse to share their data unless it is lawfully required to do so i.e. payroll or tax or necessary to complete a transaction.
Consent must be freely given, specific, informed and unambiguous. Information that is no longer necessary must be erased without undue delay.It will become a lot easier to withdraw consent given for a specific purpose.
However, don’t worry too much as very little is new.
How do I know if it affects me?
If you have staff, or clients and store personal data it affects you. It affects almost everyone who owns and runs a business.
If you have a HR, finance outsourced function, make sure that your staff know that their information will be shared with these people in the Privacy notice.
What is the ‘right to be forgotten’?
It gives an individual personal control over their data, what it is used for, by whom and the right to get it deleted and complain if they do not feel it was used in line with the purpose for which they gave consent. In summary individuals have the right to know what their data is being used for and to withdraw their consent if they are not happy about it.
How exactly does GDPR affect small businesses?
In general, businesses should carry on as they have been. You will need to draft privacy notices for all your existing staff and provide them to all new staff. If you have a website or app you need to draft one for that too. Also you should request specific consent from individuals as well as agreement to terms and conditions, ask them to give consent to using their information and direct them to a privacy notice.
Here’s an example from Selfridges – a major brand who have already started doing this…
How do I go about preparing for GDPR?
Ensure you draft a privacy notice, one for staff and one for clients which details why you are collecting information, what you are collecting, how it will be used, if their information will be passed onto any third parties, who they are, right to withdraw and withhold consent, who to complain to.
When do I need to use a privacy notice?
You need to use them for any employees, clients on your websites, apps, newsletters etc.
Let’s talk about newsletters – If people opted in on their own to my newsletter, do I need to go and have them all re-subscribe?
No, as long as they have the right to unsubscribe. That being said, some retailers are asking via email in any case now. So you could consider sending out a group email asking people specifically if they wish to withdraw their consent.
How can I make sure you mailing lists are safe?
Opt in and opt out boxes are important. Also, put a privacy notice on and make sure people can subscribe and their information deleted.
Where do I store data for it to be compliant? How do I keep it secure?
No different to now, passwords, locked filing cabinets, secure payment systems.
What is the best way to get rid of data that does not comply?
Delete it and shred it! Simply put, if someone has stated they no longer want to be on your email list, sales list or any other list then get rid! Their data must be removed.
Want to find out more?
You can visit the ICO website and the EU GDPR website for more information, or ask your lawyer for further advice.
In particular the examples from the ICO might come in handy.
If you are a Blue Patch member, then you can take a look at the Blue Patch members Facebook group for the GDPR Q&A with Olga Crosse from Crosse HR that we did last week. If you would like more specific advice on this matter, Olga Crosse has the answers to your questions.
Want to become a Blue Patch member? Take a look here.
Preeti is the Marketing Manager at Blue Patch. Born and raised in India, she spent some time in the US, completing a degree in Psychology and Biology, after which she moved to the UK in 2010 to study an MSc in Finance and Management. She can often be found obsessing over her plants, trying to clamp down on an ever-increasing collection of nail polish or exploring and taking photos of random corners of London. She plans to keep an eye out on GDPR and how it affects small businesses.