General Data Protection Regulations (GDPR)
What is GDPR?
General Data Protection Regulation is a set of rules that businesses must follow if they keep any personal information about employees, customers, potential customers, or any personal information about the public.
This is just for big businesses though, isn’t it?
No, it’s relevant to all businesses based in Europe, including the UK.
What must I do to comply with GDPR?
You need to make sure:
- You have the person’s permission to store and use their information
- You need to inform the person about how you will use their information.
- You must keep their data secure
- You must make sure the information is accurate
- You must keep an inventory of what information you store, where it’s stored, and what it’s used for.
- You must also keep a record of where the personal data came from and when permission was granted. (It’s up to the business owner to have proof)
- If a person makes a request for their information to be deleted, you must have a protocol in place for this to be implemented.
How Should I Implement GPDR?
You should perform a data protection audit and document what personal information you store, where it is stored, what it is used for, and if it is secure. Password protection/locked filing cabinet.
You should document the personal data you hold, where it came from and who you share it with.
Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Inform people they have the right to withdraw consent at any time, and how they do this. It must be as easy for an individual to withdraw consent. This means you will need to have simple and effective withdrawal mechanisms in place.
What about Email Opt-ins on my web page?
From May 2018 you are required to get permission from an individual to use their information. You can no longer have a pre-checked tick box or other consent by default methods. You need to request the user’s agreement and to tell them exactly how their information will be used.
What if I don’t Comply?
If there is an issue then you could be fined four percent of your annual turnover, or €20 million. Whichever is the greatest.
Things to Do
Designate a Data Protection Officer as the person responsible for overseeing compliance with the data protection regulations.
Complete an inventory of stored personal information.
The inventory needs to document:
- What information is stored (names, addresses, email, phone numbers)
- What the information is used for (purchase records, marketing, employment…)
- Where the information is stored
- Who has access to the information (including third party business)
- When the information was collected
- That the person, or company, gave permission for storage and explicit use
There should be a protocol in place in case of loss of the information, or a data breach. (individuals whose information has been compromised should be informed within three working days)
Check your website and email marketing software.
You must be explicit when collecting personal data from your website, such as email addresses. This means you can no longer use a pre-ticked box as a method of collecting the information for use. It also means that you must inform the person about exactly how you will use their information. (you can’t collect an email address and then pass it to a third party, unless you have informed the person and gained permission to do this.)
Proportionate Processing for Legitimate Business
Gaining explicit permission for processing personal information may not be required in certain circumstances. If a business has a legitimate reason for processing or keeping personal information, then this is allowable under GPDR rules. For example, Personal data that has been collected to complete an online purchase can be sent to a payment gateway to complete the transaction. This would be expected from the customer and would not need explicit confirmation. Confirmation of the sale by email would also be a legitimate process where the customer would not need to give explicit permission.
Generally, you should obtain specific agreement from the individual. However, there are circumstances in which you can treat an individual subscriber as having consented to receiving emails from you, even though they haven’t specifically done so. this condition is satisfied if the individual is already a customer or has entered into negotiations with you with a view to a sale or has registered an interest in a product and allowed their email address to be recorded for future marketing use. You should always have an opt out method attached to emails sent to these customers.
You can also email none personal email addresses for marketing purposes. These would include addresses such as info@ or sales@.
However, having said all of the above, there are exceptions that you may find relevant to your business.
Small Businesses – Fewer than 250 Employees
Smaller firms – with fewer than 250 employees, do not have to comply with all GDPR rules as standard. You do not need to register a data protection officer and if your business falls into this band, there’s no need for documenting why personal data is being collected, processed, or how long you have kept the data. Small firms are not required to keep records of processing activities unless this carries an information risk to the rights of the person, or it relates to certain data like criminal convictions and offences.
You have 72 hours to report a breach – where feasible
Personal data breaches need to be reported to the relevant data protection agency within 72 hours. Individuals whose data has been compromised will also need to be notified. However, if the breach “is unlikely to result in a risk to the rights and freedoms” of people, then there is no need to report it. Also, small businesses have a slight get-out clause with the insertion of the “where feasible” phrase attached to the 72-hour limit.
Please be aware that the information given here, is my personal interpretation of the GDPR rules, and as such, should not be taken as being legally correct. To check you should visit the Infomation Commisioners Office information for confirmation and further in-depth detail.
Since writing this article I have found that many businesses fail to understand the basic concept of the GDPR rules. I’ve had hundreds of emails stating that they are complying with GDPR and if I don’t want to receive any more emails then I need to inform them. I’ve even had a letter from a large UK based organisation stating “As part of the new GDPR regulations please tick this box and returns, if you no longer want to receive mail from us.” Both of these methods are illegal under the new rules, as they are classified as consent without action.
My tips for small businesses complying with GDPR are:
- Do an inventory of personal information you do store. It’s a good excuse to understand what you are storing and if you really need it.
- Make sure that you ask new customers if you have their permission to keep their information, and tell them what it will be used for.
- Always have an ‘unsubscribe’ link, that works, added to the bottom of all your email correspondence
- Give the option to ‘stop receiving mail’ to all written sales letters.
- Don’t share personal data with other businesses without the consent of the individual. Remember, consent must be explicit and must not be seen to be consented to.
A useful checklist is available from the OCI that makes it easy to check if you’re complying with GDPR can be downloaded here
Thanks for reading
P.S If there’s anything I have missed, or that needs correcting, then please comment in the box below…