Your 11th Hour 'Emergency' GDPR Guide

Getting your Strikingly website GDPR compliant

Resources and Tips

Your 11th Hour GDPR Guide

GDPR came into force in Ireland in May 2018. Are you prepared? Or do you wish someone would just come along and make it easy for small business people like us? Your wish is granted. :D

11th Hour Emergency GDPR Guide

Time required: 30 minutes to implement

GDPR gives individuals more rights and protection over their personal data. There are five main reasons why a company or organisation has legal grounds for holding personal data. They are: individual consent, legitimate interest, performance of contract, vital interest and legal requirement.

What can you do so that your organisation can comply quickly at the 11th hour?

Step 1. Get Your Website compliant

Get your legal policies in place and visible. You need a privacy policy and, if you don’t have one already, a terms and conditions document. Get both of these completed and visible on your website so that it is public. Shopify have lovely generator tools that can create both of these for you. In a little as two minutes, you’ll get an email with a link to your document. Review each of these and make sure they make sense and are applicable to your company or organisation. You may need to do minor modifications (5 to 10 minutes) but you should be good to go fairly quickly.

Note: they will try to get you to sign up for a free Shopify trial but you do NOT need to do this to use the generator. And if you want a Shopify trial, see me! I am a partner. ;)

Terms & Conditions 

Privacy Policy 

Review my privacy policy here. (you’re very welcome to copy mine). :D

Ensure your website forms are GDPR compliant. If you’re using Strikingly, complete the T&Cs and privacy policies (as above). Then turn on the ‘GDPR’ option in settings. You can see how to do that here (video) and read more about it here.

If you’re collecting emails using something other than Strikingly, check the company’s site for adding a GDPR option. You can find one for mailchimp here. 

Not required but super cool: have a page which gives visitors and clients options on how to keep in touch with you. It’s easy to do and is a lovely way to show visitors that you’re thinking of them. Check out mine here.

Step 2. Review Third Parties (DPOs)

Make sure you review applications you use that process personal data on your behalf (Data Processing Organisations, DPOs). You need to ensure they are GDPR compliant as well.

Most big brand companies have strict controls over personal data, e.g., Strikingly, Google, Paypal, Facebook, Mailchimp, Eventbrite, etc. If you’re using any of these applications you should be fine but it is still your responsibility to ensure that they (and all DPOs you use) are processing your client’s data in a manner that is required by law. Then list your DPOs in your privacy policy. You can find Strikingly’s GDPR Compliance statement here.

Step 3. Review Personal Data Categories

The general rule, for data protection principles, is to only store personal data for as long as is necessary, to store it securely and, when required, to delete personal data securely too. The legal grounds for holding personal data falls into 5 categories. Review each one.

1. Legal requirement: some services (solicitor services, accounting, etc) are legally required to hold information for a period of time. In this situation, you must hold data securely for the period required by law. This is not a new requirement so should not necessitate a new process for most people.

2. Vital interest (of person) or public: typically in the case of medical professionals, personal data is held to help the individual.

3. Performance of contract: if you’re selling goods online or have people enrolled in training or a class, you may need their information to deliver that service. You can use this for the performance of contract but should get explicit consent to use it for anything further.

4. Legitimate Interest: this is when you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. Perhaps someone’s done business with you in the past. They do not want your newsletter but they do expect to hear from you on matters that might normally be expected in the course of doing business. It is reasonable to assume that holding personal data for this type of communication is fine when it is balanced.

5. Individual consent: this is explicit consent given to you for the purposes of marketing or providing communication from your company. When you do not know someone, you should get their explicit consent before send them marketing information, such as from an email newsletter.

Items 1 and 2 are not new and do not apply to everyone. If you are handling this type of data, you should already be handling it securely.

Item 3 (Performance of contract) - have a policy in place to hold data for the performance of contract and, when completed, decide if there is an legitimate interest in continuing to hold their data or ask for their explicit consent and get them on your newsletter. Whatever you choose, make sure you have a policy in place and that it is clear.

Item 4 (Legitimate interest) - contact those people who fall into this category, invite them to review your shining new T&Cs and Privacy Policy (from above). This should be on your website now. Your policy should also explain their rights to have information removed, etc.

Item 5 (Individual consent) - if you’re marketing to people on a regular basis (such as with a newsletter), you need to get explicit consent. If you have a newsletter in place, make sure to ask them if they wish to continue to receive this. All major email marketing newsletters have templates available. If unsure how to do this and you are short on time, you can email your contacts directly and ask them to reply with a ‘yes’ or ‘no’ - then update your database accordingly.

Step 4. Review offline devices and files

You also need to look at things like your devices -- your phones and laptops which contain customer data. Are their passwords, locks, security in place?

Have you paper files? These matter too. As you do business, think about whether you’re handling personal data, if it’s secure, and whether there are controls in place to protect it. If the answers are yes, you’re good to go.

That’s it in a nutshell. Now, that wasn’t so hard was it? :D

For anyone who would like more information or help with GDPR, Margaret Julian from GDPR Audits, has a number of services for businesses of all sizes. Get in touch. I'm sure she'd love to help. For information on the Rules for Direct Electronic Marketing from the Data Protection Commission, see here.

If you want to receive my newsletter, make sure you sign up here.

Wishing you much continued success,

Teri

Last updated 14 July 2022

 

 

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OK

×
Terms & Conditions
See our full Terms and Conditions at: https://www.impulsehub.ie/terms
×
Privacy Policy
ImpulseHub Web Design, Training & Consultancy (IMPULSEHUB) is a Web design and training company in New Ross, Co Wexford, Ireland. In terms of GDPR, we act as a Data Controller.  We treat your privacy seriously and any personal data, which you provide to us, will be treated with high standards of security and confidentiality, in accordance with Irish and European Data Protection legislation. This notice sets out details of the information that we collect, how we process it and whom we share it with. It also explains your rights under data protection law in relation to our processing of your data.

Who we are

Throughout this Notice, “we”, “us” and “our” refers to ImpulseHub Web Design, Training & Consultancy.  For more information about us, please refer to our website: www.impulsehub.ie

How we collect your personal data

We collect your data from you when you complete our Contact Form, when you make a purchase on our site, attend an event, training or course, or when you call or contact us directly through our website or by phone.  We use this information only in accordance with the purposes outlined in this notice.

We also receive information through referrals and this information is used to enable communication between us and the referred party.

We may also receive information from you at networking events such as if you give us a business card. 

The purpose and legal basis for collecting your data

Any personal data that you provide to us directly, either via our contact form, through a purchase, from attending an event, training, webinar or course, from a networking event, or when you call or contact us directly will be processed fairly and lawfully.

It will be used for the purposes of recording your data, processing a service request and/or notifying you of relevant IMPULSEHUB communications.

The Data Protection Acts allows us to process your data because you have provided your explicit consent.  You are entitled to withdraw your consent at any time.  If you do withdraw your consent, IMPULSEHUB will no longer process your personal data and will take steps to delete all reference to your data securely.

Details of third parties that may process personal data on our behalf (Data Processing Organisations, DPOs).

IMPULSEHUB uses a number of DPOs that process personal data on our behalf. These include (but not limited to) Strikingly, Google (gsuite), Stripe, Paypal, GoCardless, SumUp, Mailchimp, Email Octopus, One Page CRM, Jotforms, and Eventbrite. We have satisfied ourselves that these DPOs are GDPR compliant, that they will take measures to keep your personal data safe and they will process your information in accordance with Irish and EU law.  

How long we will keep your data

In keeping with the data protection principles, we will only store your data for as long as is necessary.  

Your rights
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data, including the right to withdraw your consent to processing your data or to using your information to send you communications from IMPULSEHUB. 
If you wish to withdraw or modify your consent at anytime, you can contact Teri Morris, GDPR Compliance Manager, ImpulseHub Web Design, Training & Consultancy, 39 South St, New Ross, Co. Wexford, Y34 C822 (or email hello@impulsehub.ie). 

You can also choose how you wish for us to keep in contact by visiting our page https://www.impulsehub.ie/contact.

You have the option to unsubscribe from our newsletter at anytime using a link that is available with each newsletter that is sent. 

Questions or Complaints

If you have any queries in relation to your personal data at IMPULSEHUB, please contact Teri at hello@impulsehub.ie. Our privacy statement is available here: http://www.impulsehub.ie?open=privacy-policy. 

If you have any complaints in connection with our processing of your personal data, you can contact Teri Morris, Information Compliance Manager, 39 South St, New Ross, Co. Wexford, Y34 C822 (or email hello@impulsehub.ie) Tel: +353 87 225 6498.

You also have the right to lodge a complaint with the Data Protection Commission if you are unhappy with our processing of your personal data. Details of how to lodge a complaint can be found on the Data Protection Commission’s website (www.dataprotection.ie), or by telephoning 1890 252 231.
×
×
Store Categories
  • CFB
  • Coffee
  • WIAW