You’ve probably heard talk about GDPR and recent changes to data protection legislation that effect a wide variety of organisations. Online information on GDPR can be confusing and even contradictory, but don’t worry, you’ve come to the right place. Read on for a simple guide on everything you need to know about new GDPR legislation, how it may affect you and how to become GDPR compliant.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a new law, in place across Europe. In the UK, this means that GDPR replaces the Data Protection Act 1998, so there are some important changes that organisations need to be aware of. GDPR differs from DPA in a number of ways. Mainly, the focus of GDPR is to make sure that individuals have a full understanding of what data of theirs a company or organisation is storing and that stored data is kept to the minimum, including only what is actively relevant to that company/organisation. In other words, GDPR wants to protect individuals from having erroneous data about them stored by companies, and as a knock-on effect, prevent data leaks and unlawful sharing of data. To this final point, under GDPR, companies and organisations are also required to demonstrate that data is stored completely securely.
Who does GDPR apply to?
By 25 May 2018, all companies that collect and store personal data from customers and members must be compliant. Personal information includes (but is not limited to): name, address, web information including cookies and IP addresses, genetic and biometric data, racial or ethnic origin, political opinions, sexual orientation and religious beliefs.
It’s a common misconception that GDPR only applies to large companies. This is not the case. All companies and organisations, including charities, must ensure that they are compliant. Non-compliance fines are hefty, running up to 4% of annual turnover. But don’t panic. Read on to find out more, including how you can get help to become GDPR compliant.
What steps do I need to take to become compliant?
Essentially, there are five things you need to make sure to do. These are:
1 – Keep thorough and up to date documents of what information is stored from your customer.
You should make sure that staff members with access to these documents are properly trained and understand the importance of keeping these records organised and correct. These records need to include information about how the data is used and under what circumstances it is allowed to be used – including how the customer is informed about this. Under GDPR, companies need to demonstrate clearly that they have consent to use a customer’s personal data.
3 – Look back over your marketing practices.
This may relate in particular to digital marketing to ensure you aren’t doing anything in breach of the new legislation. Naturally if you're creating digital products you will be have things you need to comply with including how you market to people who sign up for your freebies and who buy your products. This is a critical area – if someone has signed up on a webinar or freebie, you likely can’t keep marketing and consent isn’t forever!
4 – Make sure you are able to comply with the 72-hour data breach notification.
This requires that any breach in data must be reported in no more than 72 hours. It may be that you will need to train a staff member to respond to any incidences and add this role to their job description.
5 – Make sure you have addressed the individual rights requirement.
This requirement says all individuals must be informed about how their data is stored and used. Your responsibility as a business owner is to ensure that you help manage this requirement. For example, if you hold customer data your customers have a right to know what data you hold, to change it and if required to delete it.
6 – Cookie consent banner
It is a requirement of GDPR that you must install a cookie consent banner to let your users know what cookies you have on your website and how they can opt out.
7 – Ensure you work with compliant suppliers (vendors)
All suppliers (also known as vendors) must be GDPR compliant, and if they are not – you must not continue to work with them. Many companies are doing all that they can to become GDPR compliant, but it is your responsiblity to ensure that anyone you do work with are compliant to manange your requirements as a data controller.
How can I get help?
You’d be forgiven for still being a bit confused. There is quite a lot to the new legislation and, obviously, making mistakes isn’t really worth the risk. GDPR consultants do exist, but they charge huge fees (up to five figures). If you’re a small to medium business, this isn’t an option.
A great alternative, though, is to get your hands on a GDPR DIY Kit from Red Clover Solutions. Created by Jodi Hoffman Daniels, a privacy consultant with 19 years industry experience, you know you’re getting the best advice because Jodi actually works in the privacy sector.
The kit only costs $99 and includes everything you need, including advice and simple-English explanations, checklists and run downs of where and how to check your marketing practices.
There are templates for Data Inventories and Individual Rights Responses so you can get compliant much more quickly – great news as the deadline is fast approaching. Get the kit HERE (in the spirit of the transparency that the GDPR is all about, I am getting a small kickback for recommending, but as a tried and tested user of this kit I really wouldn’t recommend anything else). You can rest easy knowing you’re fully GDPR compliant.