14 May GDPR
GDPR: General Data Protection Regulation
GDPR. We’ve all heard of it. We all thought we had loads of time to prepare and now with just a matter of weeks to go, everyone seems to be in a blind panic. What do you need to do? Are you going to be fined? Who can you ask for help?
Firstly, don’t panic. GDPR is all about making sure that the data you have is controlled and protected – which is exactly what you’d want anyone to do with the data they hold about you. I’m sure many of you already have most of the requirements in place but there is so much information out there that no-one seems to know if they’re ready or not. The ICO have put together a really useful self-assessment page to help you understand if you’re compliant and what you need to do, but to be honest I still don’t think this makes it very clear, so here are some simple guidelines to help you:
Protect all Data
If you hold and process personal information (i.e. data which can be used to identify an individual) about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:
- Only collect information that you need for a specific purpose
- Keep it secure
- Ensure it is relevant and up to date
- Only hold as much as you need, and only for as long as you need it
- Allow the subject of the information to see it on request
Be sensible and apply common sense. If you carry a laptop around with personal information on it, make sure it is fully password protected and encrypted so that if it fell into the wrong hands the data would still be secure. If you need help with data security or encryption, I can highly recommend Castle IT who will advise you in a normal language!
Keep Accurate, Controlled Records
Make sure that the data you hold is kept up to date and that it is controlled. Make sure that you have clearly defined rules in place within your organisation, and make sure that you can provide information if you are asked for it.
What About Direct Marketing Lists?
This question comes up a lot. If you do telephone, email or other electronic marketing then you need to comply with the Privacy and Electronics Communications Regulations.
- Have consent to send people marketing, or to pass their details on
- Be able to demonstrate that consent was knowingly and freely given
- Not call any number on the TPS list without specific prior consent
- Not send marketing texts or emails to individuals without their specific prior consent
- Stop sending marketing messages to any person who objects or opts out of receiving them
- Carry out rigorous checks before relying on indirect consent (ie consent originally given to a third party)
So those are the basic rules for marketing – but what do you actually need to do?
- If you bought in your data list or if you did not get specific consent to send information, you need to email everyone on your list and specifically ask for consent to continue sending to them. Email marketing tools like Mailchimp have really useful templates ready for you to use to let people check their information and unsubscribe if they wish to. Ideally this should’ve been done some time ago, so you need to act fast. Some people will review and update their data. Some people will unsubscribe. Some people will ask you to unsubscribe them. Others will just completely ignore your request. You can send them a friendly reminder before 25th May, but if they do not respond, you do not have their consent, so you should remove them from your list to be GDPR compliant.
- Don’t use pre-ticked boxes or any other method of consent by default. Your recipients need to manually opt-in to receive information from you. Again, Mailchimp has GDPR compliant sign-up forms which are very useful.
- Only use the data for the intended purpose. If someone signs up to receive a specific type of marketing from you, make sure that you only use it for this purpose.
These are the basic guidelines to help you check if you are compliant. The ICO have issued a huge amount of information to help small businesses with GDPR compliance. Please make sure you take a look through the information and run through the self-assessments to make sure you’re all ready before 25th May.