Your 11th Hour GDPR Guide
GDPR came into force in Ireland in May 2018. Are you prepared? Or do you wish someone would just come along and make it easy for small business people like us? Your wish is granted. :D
11th Hour Emergency GDPR Guide
Time required: 30 minutes to implement
GDPR gives individuals more rights and protection over their personal data. There are five main reasons why a company or organisation has legal grounds for holding personal data. They are: individual consent, legitimate interest, performance of contract, vital interest and legal requirement.
What can you do so that your organisation can comply quickly at the 11th hour?
Step 1. Get Your Website compliant
Get your legal policies in place and visible. You need a privacy policy and, if you don’t have one already, a terms and conditions document. Get both of these completed and visible on your website so that it is public. Shopify have lovely generator tools that can create both of these for you. In a little as two minutes, you’ll get an email with a link to your document. Review each of these and make sure they make sense and are applicable to your company or organisation. You may need to do minor modifications (5 to 10 minutes) but you should be good to go fairly quickly.
Note: they will try to get you to sign up for a free Shopify trial but you do NOT need to do this to use the generator. And if you want a Shopify trial, see me! I am a partner. ;)
Terms & Conditions
Privacy Policy
Review my privacy policy here. (you’re very welcome to copy mine). :D
Ensure your website forms are GDPR compliant. If you’re using Strikingly, complete the T&Cs and privacy policies (as above). Then turn on the ‘GDPR’ option in settings. You can see how to do that here (video) and read more about it here.
If you’re collecting emails using something other than Strikingly, check the company’s site for adding a GDPR option. You can find one for mailchimp here.
Not required but super cool: have a page which gives visitors and clients options on how to keep in touch with you. It’s easy to do and is a lovely way to show visitors that you’re thinking of them. Check out mine here.
Step 2. Review Third Parties (DPOs)
Make sure you review applications you use that process personal data on your behalf (Data Processing Organisations, DPOs). You need to ensure they are GDPR compliant as well.
Most big brand companies have strict controls over personal data, e.g., Strikingly, Google, Paypal, Facebook, Mailchimp, Eventbrite, etc. If you’re using any of these applications you should be fine but it is still your responsibility to ensure that they (and all DPOs you use) are processing your client’s data in a manner that is required by law. Then list your DPOs in your privacy policy. You can find Strikingly’s GDPR Compliance statement here.
Step 3. Review Personal Data Categories
The general rule, for data protection principles, is to only store personal data for as long as is necessary, to store it securely and, when required, to delete personal data securely too. The legal grounds for holding personal data falls into 5 categories. Review each one.
1. Legal requirement: some services (solicitor services, accounting, etc) are legally required to hold information for a period of time. In this situation, you must hold data securely for the period required by law. This is not a new requirement so should not necessitate a new process for most people.
2. Vital interest (of person) or public: typically in the case of medical professionals, personal data is held to help the individual.
3. Performance of contract: if you’re selling goods online or have people enrolled in training or a class, you may need their information to deliver that service. You can use this for the performance of contract but should get explicit consent to use it for anything further.
4. Legitimate Interest: this is when you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. Perhaps someone’s done business with you in the past. They do not want your newsletter but they do expect to hear from you on matters that might normally be expected in the course of doing business. It is reasonable to assume that holding personal data for this type of communication is fine when it is balanced.
5. Individual consent: this is explicit consent given to you for the purposes of marketing or providing communication from your company. When you do not know someone, you should get their explicit consent before send them marketing information, such as from an email newsletter.
Items 1 and 2 are not new and do not apply to everyone. If you are handling this type of data, you should already be handling it securely.
Item 3 (Performance of contract) - have a policy in place to hold data for the performance of contract and, when completed, decide if there is an legitimate interest in continuing to hold their data or ask for their explicit consent and get them on your newsletter. Whatever you choose, make sure you have a policy in place and that it is clear.
Item 4 (Legitimate interest) - contact those people who fall into this category, invite them to review your shining new T&Cs and Privacy Policy (from above). This should be on your website now. Your policy should also explain their rights to have information removed, etc.
Item 5 (Individual consent) - if you’re marketing to people on a regular basis (such as with a newsletter), you need to get explicit consent. If you have a newsletter in place, make sure to ask them if they wish to continue to receive this. All major email marketing newsletters have templates available. If unsure how to do this and you are short on time, you can email your contacts directly and ask them to reply with a ‘yes’ or ‘no’ - then update your database accordingly.
Step 4. Review offline devices and files
You also need to look at things like your devices -- your phones and laptops which contain customer data. Are their passwords, locks, security in place?
Have you paper files? These matter too. As you do business, think about whether you’re handling personal data, if it’s secure, and whether there are controls in place to protect it. If the answers are yes, you’re good to go.
That’s it in a nutshell. Now, that wasn’t so hard was it? :D
For anyone who would like more information or help with GDPR, Margaret Julian from GDPR Audits, has a number of services for businesses of all sizes. Get in touch. I'm sure she'd love to help. For information on the Rules for Direct Electronic Marketing from the Data Protection Commission, see here.
If you want to receive my newsletter, make sure you sign up here.
Wishing you much continued success,
Teri
Last updated 14 July 2022