Today I have something for you that is on everyone's mind - it's all about GDPR!
If you think it doesn't apply to you - I'm sorry to say you are WRONG!
I have been speaking a lot to the lovely Leanne of Leap HR who has kindly decided to write a blog post today to help you all! If you have any questions, please put them in the comments - both Leanne & I will be on hand to answer them!
On that note, over to Leanne...
New Data Protection Regulations (GDPR) – a practical overview.
I see and hear comments daily from businesses large and small of genuine surprise that there are fairly significant changes coming into force that will impact them.
In reality this key piece of EU law was passed back in 2016 and they have allowed businesses until 25 May 2018 to get ready. That said the Information Commissioner's Office (ICO) have only published an overview. The finite detail is still being worked on. But irrespective of the lack of detail, common sense can be applied to start getting your house in order.
Who does GDPR affect?
That’s the reality.
There is not one business who doesn’t hold some form of information about others. Whether it’s a customer, a supplier or an employee, you will have some sort of data.
The obvious things are email details, addresses, phone numbers but it will also include IP addresses, employee numbers …...basically anything that can is used to identify an individual.
Every business will be different, so every business will need to review what they have.
Data Protection (DP) isn’t new. As business owners and managers, you should already be aware of DP, and you should already have processes in place to protect people.
But the reality is that many businesses don’t. And that is why this key change is having such an impact now. There is great rushing around to see what is needed, and some are raking it in on the 'cash cow' that invariably comes with something new that everyone is responsible for.
Don’t forget you are also a person – so before arguing that the law is ridiculous, stop and think how you would feel as if your personal information was shared.
How do you feel when you get numerous calls offering to sort out your PPI? Most hate it. So why as a business owner would you let it go on in your own Company?
What will I happen if I don’t do anything about GDPR?
Potentially there are fines, and they are not small. Up to 4% of your global turnover or £20 million whichever is the highest. Most of us don’t have that sort of turnover but suffice it to say there is an impact.
The ICO don’t particularly want to fine people, that solves nothing. What they want is to ensure is that personal information is secure, and not shared willy-nilly around.
They want to stop some of the harrowing tales of constant harassing calls asking for money, people being on lists for goods that they don’t want or need, to stop people’s data being published “out there” when it is personal and not needed. The legislation is there to protect all.
In 2015, Olivia Cooke, a Poppy Seller aged 92 received hundreds of letters asking for donations. She parted with a lot of money and in the end committed suicide.
Many of us have common sense, but some do not and those prey on the vulnerable in such a way that is quite frankly wrong.
GDPR - What do I need to do?
There are 12 steps you need to take. These are all listed on the ICO website in a document “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now.”
Essentially you should do an audit.
Review and challenge the information that you hold:
- Why do you have it?
- How long do you hold it for?
- Is it necessary?
Some things hav e to be retained for statutory purposes, that’s ok, just ensure you are consistent.
Make sure that everyone knows your Policy; and if people work for you are trained on the legislation and how to respond to questions. So, create a Policy, which will need to be published on a website and available to anyone who ask.
The Individuals Rights - GDPR
Make sure you understand individual’s rights – there are 8 to consider.
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to data portability
6. The right to object
7. The right not to be subject to automated decision making including profiling.
If you hold lists, such as customers information then you MUST contact them all and ask them for their express consent. If you don’t hear back, then you MUST delete their information. This is big for those of you that rely on lists and I am aware of people with tens of thousands of names.
Yes, you have to contact them all.
Gone is the ability to pre-populate a tick box. People must fully understand what their information is being held for.
Employers need to make sure that employees are aware of data held. They can’t ask you to delete everything, some things have to be held for legal purposes, just make sure that you do genuinely need what you have. 'Just because', is not an acceptable reason.
Make sure that your systems are all checked and secure, and that passwords set and reset on a regular basis individually. Cyber security and awareness of the possibility of hacking is critical these days.
As the business owner you it is YOUR responsibility personally for this.
Will it cost you anything? Time to do some housekeeping, and to review the impacts for your business. The bigger or more complex your business, you may need to get some expertise in to ensure that you comply. There is a lot of scaremongering out there…..but it could cost you a lot if you don’t act now.
The ICO says that consent must be "freely given, specific, informed, and unambiguous" and which informs subscribers about the brand thats collecting the consent and provide info about the purposes of collecting personal data."
- Use easy clear language, so customers understand what they are signing up for. If there is any doubt its not valid consent.
- Customers should actively opt in, so no pre-populated ticked boxes and all options should have equal prominence.
- Let customers freely choose content, channel and frequency and gain consent for each
- Do not tie consent to other agreements nor use incentives.
- Explain clearly how customers can withdraw consent. So say for example "all our communications contain an unsubscribe link" or something to that effect.
- Make it very clear what your customers are getting from you and why - and how they can get out of it.
- Ensure that you have a Policy on your website on Privacy/Data Protection
Leanne & I hope that the tips and information above helps, but if you have any questions, please leave and comment and we will get back to you!