Why (most) people need to stop freaking out about GDPR

What's going on?

Well, today is a big day for peoples personal privacy! Before today, the law was a little vague on some of the finer aspects on how your personal information could be used. This meant that companies got away with collecting lots of data about you, often without your explicit consent (or, sometimes, without knowledge at all) and using it for marketing reasons.

The major problem was that people simply didn't know what companies were collecting, or what they were doing with it. Sometimes, methods of data collection meant that even your friends data was collected without you or them knowing!

So why am I getting all these emails?

Are you sick of the emails yet?!

  • "Hi - we'd really miss you if you left us!"
  • "Can we still contact you?"
  • "The law is changing! You have to click this button!"
  • "Can you even remember who we are? PLEASE let us email you?!"

The new GDPR rules have changed what companies need to do with regards to the data they hold about you. The rules came into effect today and it has lots of companies worrying, mostly more than they need to (though some not enough!), but essentially it caused most companies to "reconfirm you consent" to things like marketing. 

I thought I already gave consent?

You probably did. For many people, you gave consent by signing up to content and accepted that you would receive marketing emails. Newsletters, offers, promotions etcetera - but the new rules have people worried so much that they thought it best to double check again, just to be be sure.

However, you may also be getting emails from "3rd parties" (i.e. your details were passed on by one company to another) without you realising, so now is a good time to clear out who you are subscribed to.

You got a huge flurry of them because everyone either waited until the last minute to sort out GDPR or didn't realise what was involved. For bigger companies, it has meant HUGE change so they have taken the 2 years since it was announced to get it in place. For smaller companies, I dare say they simply waited for the deadline and thought they had better do something about it! Thankfully, now the day is here, your inbox should calm down!

So do I need to do anything as a business?

Yep. Any company that handles customer data has to comply. That includes Business to Business companies, not just the business that interact with consumers. 

So quickly, what is GDPR again?

Well, the topic is huge but here we will try and summarise some key principles for smaller businesses.

Personal data should:

  1. ... be processed lawfully, fairly and in a transparent manner 
  2. ... only be used for the purpose it was collected and not for anything that is incompatible for those purposes
  3. ... be adequate, relevant and limited only to what is necessary in relation to purposes for which they are processed
  4. ... be accurate and, where necessary, kept up to date. Out of date info should either be rectified or deleted without delay
  5. ... be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. ... be processed in a secure manner so that customer data is not compromised

You also need to be sure someone is listed as accountable for any data you are using (You are the "Data Controller"

Er, thanks - what does that mean?

Well, lets have a look at the again but break it down further. We have provided links to the excellent summary pages of the ICO website - check out the "Checklist" section of each page to help you further:

"... be processed lawfully, fairly and in a transparent manner"

Are you absolutely clear on what data you are collecting and why you are collecting it? Also, what you are going to do with it? If you intention is (possibly) to pass details on to other parties, you need to ask for consent to do that (transparency). You might want to update privacy statements to explain what your position is. Also, you can not pre-populate forms with a tick and make it so the customer has to opt OUT of something - always leave it blank and allow them to opt IN if they want to. And don't mislead people on what they are getting into!

"... only be used for the purpose it was collected and not for anything that is incompatible for those purposes

For example, if you are collecting an email address to be able to send a receipt for a product you just sold them, you can't add them to your newsletter automatically. They didn't ask to be included and you didn't get their email address to send marketing emails, only for sending a receipt.  Do you know why you hold customer details? If you want to do something new with their data, ask them first!

"... be adequate, relevant and limited only to what is necessary in relation to purposes for which they are processed"

If you have ever seen a quiz online that "determine what your Cat Name would is!" (or smoother equal droll quiz), you ought to know that part of the consent you gave at that time was to allow that company to glean info from your profile to them target you with ads. They won't be able to do that any more! As for your business, be sure that you only use customer data for what you are telling them you will use it for!

"... be accurate and, where necessary, kept up to date. Out of date info should either be rectified or deleted without delay"

There is zero point you keeping details on a customer with whom you haven't exchanged details with in years. Get rid of it. You can always send an email saying "We haven't spoken in a while so I will remove you from my database. If you think we should stay in touch let us know". 

"... be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed"

Being able to personally identify users is important for privacy concerns and as such you should be careful about what you hold and for how long. Customers have a "right to be forgotten" - this means if they say "please remove all the details you have about me and don't contact me again", you have to comply. If you use newsletter software, they can do this by unsubscribing (hence all the emails recently). If you hold other customer data, consider what how long you should be keeping it and put a procedure in place for what to do once you reach that limit.

"... be processed in a secure manner so that customer data is not compromised"

Customer data should not be allowed to go missing, captured, stolen etc. Are you sure your customer data is safe? For most, you will be using products like google, mailchimp, stripe etc - as you are a customer of those companies, they will need to prove they are GDPR compliant and as such you can take comfort when you find out they are. You can pass that comfort on to customers by stating you use GDPR compliant systems and service providers. However you may also hold data "offline" or be using companies that have not yet confirmed they are GDPR compliant - you need to be sure you have taken necessary steps to secure all personal information. You also need to know what to do if there is a breach in some way.


Thanks! So now what?

Well, Here are 7 practical steps to help you comply with GDPR.

Know the law is changing – which you now do, so that’s one thing you’ve done already!

1


Make sure you have a record of the personal data you hold and why.

2


Identify why you have personal data and how you use it.

3


Have a plan in case people ask about their rights regarding the personal info information you hold about them.

4


Ask yourself: before I collect their data, do I clearly tell people why I need it and how I will use it?

5


Check your security. This can include locking filing cabinets and password-protecting any of your devices and cloud storage that hold your staff or customers’ personal data.

6


Develop a process to make sure you know what to do if you breach data protection rules.

7


Hang on, that seems like a lot - why shouldn't I freak out?

Firstly, it's all sensible stuff you should have in place anyway and so should not be hard to collate (depending on the size of the business). 

Also, the law has come into effect TODAY. The Information Commissioners Office will not be beating down our door tomorrow to check that we are compliant. Their first port of call will be the larger companies, most of whom are the ones that supply smaller companies with services to then support end consumers (These are the "Data Processors").

We have however looked at our processes and consider ourselves compliant. We will continue to monitor our process and systems as the privacy of our customers is vital to us so will periodically update our privacy settings to reflect an improved position. Plus, not only do we have a detailed map of what data we hold on our customers (and why), but also how their customer data could be impacted by system breaches.

With regards to our customers, we will be supporting them with privacy statements and data protection updates. 

So in summary:

  • Make sure you have consent to hold customers data
  • Only collect what you need to do the task you collected it for
  • Only use the data for the task you told the customer you were needing it for
  • Be prepared to delete it if the customer wants it deleted
  • Don't hold on to it for longer than you need to
  • Don't share it unless you have permission to do so
  • Make sure it is secure wherever it is held

Simple!