Your 11th Hour GDPR Guide
note: this article was originally written in May 2018 when GDPR came into force in Ireland but it is still very relevant today for getting yourself setup.
OMG, it’s nearly here! Yes, the frantic concerns over GDPR are everywhere and now the day is nearly upon us. Are you prepared? Or do you wish someone would just come along and make it easy for small business people like us? Your wish is granted. :D
11th Hour Emergency GDPR Guide
Time required: 30 minutes to implement
GDPR came in as a response to give individuals more rights and protection over their personal data. There are five main reasons why a company or organisation has legal grounds for holding personal data. They are: individual consent, legitimate interest, performance of contract, vital interest and legal requirement.
What can you do so that your organisation can comply quickly at the 11th hour?
Step 1. Get Your Website compliant
Note that they will try to get you to sign up for a free Shopify trial but you do NOT need to do this to use the generator. And if you want a Shopify trial, see me! I am a partner. ;)
Not required but super cool: have a page which gives visitors and clients options on how to keep in touch with you. It’s easy to do and is a lovely way to show visitors that you’re thinking of them. Check out mine here.
Step 2. Review Third Parties (DPOs)
Step 3. Review Personal Data Categories
The general rule, for data protection principles, is to only store personal data for as long as is necessary, to store it securely and, when required, to delete personal data securely too. The legal grounds for holding personal data falls into 5 categories. Review each one.
1. Legal requirement: some services (solicitor services, accounting, etc) are legally required to hold information for a period of time. In this situation, you must hold data securely for the period required by law. This is not a new requirement so should not necessitate a new process for most people.
2. Vital interest (of person) or public: typically in the case of medical professionals, personal data is held to help the individual.
3. Performance of contract: if you’re selling goods online or have people enrolled in training or a class, you may need their information to deliver that service. You can use this for the performance of contract but should get explicit consent to use it for anything further.
4. Legitimate Interest: this is when you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. Perhaps someone’s done business with you in the past. They do not want your newsletter but they do expect to hear from you on matters that might normally be expected in the course of doing business. It is reasonable to assume that holding personal data for this type of communication is fine when it is balanced.
5. Individual consent: this is explicit consent given to you for the purposes of marketing or providing communication from your company. When you do not know someone, you should get their explicit consent before send them marketing information such as from an email newsletter.
Items 1 and 2 are not new and do not apply to everyone. If you are handling this type of data, you should already be handling it securely.
Item 3 (Performance of contract) - have a policy in place to hold data for the performance of contract and, when completed, decide if there is an legitimate interest in continuing to hold their data or ask for their explicit consent and get them on your newsletter. Whatever you choose, make sure you have a policy in place and that it is clear.
Item 5 (Individual consent) - if you’re marketing to people on a regular basis (such as with a newsletter), you need to get explicit consent. If you have a newsletter in place, make sure to ask them if they wish to continue to receive this. All major email marketing newsletters have templates available. If unsure how to do this and you are short on time, you can email your contacts directly and ask them to reply with a ‘yes’ or ‘no’ then update your database accordingly.
Step 4. Review offline devices and files
You also need to look at things like your devices -- your phones and laptops which contain customer data. Are their passwords, locks, security in place? Have you paper files? These matter too. As you do business, think about whether you’re handling personal data, if it’s secure, and whether there are controls in place to protect it. If the answers are yes, you’re good to go.
That’s it in a nutshell. Now, that wasn’t so hard was it? :D
Wishing you much continued success,