Your 11th Hour GDPR Guide
OMG, it’s nearly here! Yes, the frantic concerns over GDPR are everywhere and now the day is nearly upon us. Are you prepared? Or do you wish someone one would just come along and make it easy for small business people like us? Your wish is granted. :D
11th Hour Emergency GDPR Guide
Time required: 30 minutes to implement
GDPR came in as a response to give individuals more rights and protection over their personal data. There are four main reasons why a company or organisation has legal grounds for holding personal data. They are: individual consent, legitimate interest, performance of contract, vital interest and legal requirement.
What can you do so that your organisation can comply quickly at the 11th hour?
Step 1. Get Your Website compliant
Not required but super cool: have a page which gives visitors and clients options on how to keep in touch with you. It’s super easy to do and is a lovely way to show visitors that you’re thinking of them. Check out mine here.
Step 2. Review Third Parties (DPOs)
Make sure you review applications you use that process personal data on your behalf (Data Processing Organisations, DPOs). You need to ensure they are GDPR compliant as well. Most big brand companies have strict controls over personal data, the likes of Strikingly, Google, Paypal, Facebook, Mailchimp, Eventbrite, etc. If you’re using any of these applications you should be fine but it is still your responsibility to ensure that they (and all DPOs you use) are processing your client’s data in a manner that is required by law. You can find Strikingly’s GDPR Compliance statement here.
Step 3. Review Personal Data Categories
The general rule, for data protection principles, is to only store personal data for as long as is necessary, to store it securely and, when required, to delete personal data securely too. The legal grounds for holding personal data falls into 5 categories. Review each one.
1. Legal requirement: some services (solicitor services, accounting, etc) are legally required to hold information for a period of time. In this situation, you must hold data securely for the period required by law. This is not a new requirement so should not necessitate a new process for most people.
2. Vital interest (of person) or public: typically in the case of medical professionals, personal data is held to help the individual.
3. Performance of contract: if you’re selling goods online or have people enrolled in training or a class, you may need their information to deliver that service. You can use this for the performance of contract but should get explicit consent to use it for anything further.
4. Legitimate Interest: this is when you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. Perhaps someone’s done business with you in the past. They do not want your newsletter but they do expect to hear from you on matters that might normally be expected in the course of doing business. It is reasonable to assume that holding personal data for this type of communication is fine when it is balanced.
5. Individual consent: this is explicit consent given to you for the purposes of marketing or providing communication from your company. When you do not know someone, you should get their explicit consent before send them marketing information such as from an email newsletter.
Items 1 and 2 are not new and do not apply to everyone. If you are handling this type of data, you should already be handling it securely.
Item 3 (Performance of contract) - have a policy in place to hold data for the performance of contract and, when completed, decide if there is an legitimate interest in continuing to hold their data or ask for their explicit consent and get them on your newsletter. Whatever you choose, make sure you have a policy in place and that it is clear.
Item 5 (Individual consent) - if you’re marketing to people on a regular basis (such as with a newsletter), you need to get explicit consent. If you have a newsletter in place, make sure to ask them if they wish to continue to receive this. All major email marketing newsletters have templates available. If unsure how to do this and you are short on time, you can email your contacts directly and ask them to reply with a ‘yes’ or ‘no’ then update your database accordingly.
Step 4. Review offline devices and files
You also need to look at things like your devices -- your phones and laptops which contain customer data. Are their passwords, locks, security in place? Have you paper files? These matter too. As you do business, think about whether you’re handling personal data, if it’s secure, and whether there are controls in place to protect it. If the answers are yes, you’re good to go.
That’s it in a nutshell. Now, that wasn’t so hard was it? :D
We just sent you an email. Please click the link in the email to confirm your subscription!
OKSubscriptions powered by Strikingly