On May 25th, 2018 businesses will have to comply with the General Data Protection Regulation (commonly referred to as, GDPR), a new law governing the secure collection, storage & usage of personal information. If you’re a small business struggling to get your head around what’s required, then it’s time to wake up and shake up because penalties for non-compliance are set at 4% of turnover.
The good news is that there are plenty of useful tools and resources available from the Information Commissioner’s Office (ICO). Including an easy to digest Guide to the General Data Protection Regulation and useful GDPR 12 Steps to Take Now.
We’ve also created this whistle stop GDPR overview, to help the small and medium businesses we work with to comply:
GDPR and small business. Make sure you comply:
What is GDPR?
Think of The General Data Protection Regulation (GDPR) as a beefed-up version of the current Data Protection Act. At the moment, if you hold and/or process personal information about your employees, suppliers, customers or clients, you are legally required to protect that information.
From 25th May onwards the new GDPR rules take that up a notch. Giving control of personal data back to the individual, 100%.
It affects the personal data you hold, your privacy policy, individuals’ rights, how you seek, record and manage individual consent, data breaches, data protection and much more.
The term ‘personal data’ is far reaching. You’ll find the ICO has some useful examples of what is deemed ‘personal data’ here. It’s important to realise that this is not simply about how store contact information, it includes customer and employee records of any kind, and any expression of opinion about an individual.
We’re advising the small and medium businesses we work with to use the ICO Data Protection Self-Assessment. It’s a simply tool and means you can assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure.
We say: “It might feel like a headache. Bit GDPR is good for small business. It’s a chance to create more efficient, smarter working practices and build and enhance your business’s reputation”.
Does GDPR apply to you?
We were having a coffee with a GDPR trainer the other day and they explained that to answer this question, you must first decide whether your business is likely to be categorised as a “data controller” or “data processor”.
-
A processor is responsible for processing personal data on behalf of a controller:
You are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
-
A controller determines the purposes and means of processing personal data:
You are obliged to ensure your contracts with processors comply with the GDPR.
Full guidelines are yet to released, however these examples are likely to be applicable –
For example, ABC Ltd sells buttons to customers and uses 123 Marketing to email customers on their behalf, as well as track engagement activity. In this instance it would be fair to say that ABC Ltd is the data controller, and 123 Marketing is the data processor.
However, if ABC Ltd manages it’s own customer data through a CRM system, asking 123 Marketing to write the content for emails it sends and tracks then ABC Ltd is both controller and data processor.
GDPR and Marketing
And now, onto marketing. If you maintain personal client, customer or prospect records, no matter the quantity, then you need to take steps to ensure you comply with the new GDPR rules, now.
The ICO guidelines point to these 5-steps as key to compliance:
-
A privacy policy
This is a document that outlines how you gather, use, disclose and manage a customer or client’s data. Should be held on your website.
*We can write a privacy policy that gives visitors to your website confidence in your business*
-
A cookie policy
Another document that outlines how you get consent from your website visitors to store and/or retrieve their personal information on a computer, smartphone or tablet. A cookie is a little data file, and it stores personal information on people’s web browsers. This should also be held on your website.
*We can write a simple cookie policy, or customise to keep language on brand*
-
ICO registration
Every organisation that processes personal information is required by law to register with the Information Commissioner’s Office (ICO). It’s simple and straightforward and costs around £35.
-
Data audit
The ICO recommends that you should document what personal data you hold, where it came from and who you share it with.
-
B2B businesses you are affected too. Many of the owners we have spoken to feel confident that because the email addresses the hold are ‘business’ addresses GDPR rules do not affect them. This is not 100% accurate. Using this example – jo.bloggs@abcfirm.co.uk. True it is a business address, but because it includes personal data it is regulated by the new rules.
-
B2C businesses will have virtually all ‘personal data’, as their customers and clients are individuals.
-
Consent programme
The ICO recommends you should then review how you seek, record and manage consent (this means how individuals ‘opt in’) and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
-
For many businesses this can be managed via a simple email ‘opt in’ campaign. Perhaps offer an incentive to encourage individuals to reply, and make sure to include opt in buttons to all potential channels of communication. For most small businesses this will be email, post, SMS or telephone.
*We can write an email campaign designed to re-engage with your database and re-gain consent*
NB: If you have bought a list, you must seek assurance about the origins and accuracy of the records and personal data. More information on this here.
Our final word
Our advice is this. Take GDPR seriously and don’t leave it any longer to comply.
Not sure where to start?
We’re working with lots of small businesses, updating websites with privacy & cookie policies, helping to run data audits and creating consent programmes to bring marketing inline.
Drop us a line, we’d be happy to help you to.
I’m flattered if you take this blog as expert guidance…however, please do not IN ANY WAY consider this to be a factual, complete and accurate list of your requirements. It is the responsibility of the business owner to perform their own research and ensure that their business complies in whichever ways are appropriate.