A Step by Step Guide to GDPR

A Step by Step guide to GDPR

A step-by-step guide to GDPR

I’m guessing you’re in one of 2 camps, 1, you’ve heard of GDPR but you're unsure what impact is has on you and your business (if any) or 2 you’re thinking GDPWhatNow?!

Not to scare you BUT GDPR will affect EVERY business that holds ANY data on a customer, past, present or future. If you collect anything from email address either digitally or on paper, this post is for you.

Now firstly, let’s take a step back. What is GDPR? Well, it stands for General Data Protection Regulation (GDPR) and its a new law that will come into play on the 25th of May 2018 for all businesses operating in the EU, that means anyone in the UK! That's a matter of months away (post written March 2018). It’s main aim is to help protect people data, both digitally and offline. Remember the data breach on people’s personal Equifax data or Sony’s Playstation data where millions of personal records were hacked, well this law is to help prevent things like that from happening again.

BUT hang on, I hear you say, I’m nowhere near as big as Sony (I wish was BTW) this doesn’t affect me right?! WRONG ! Once this law, and it is a law, comes into play it affects any business, big or small that hold and obtains people personal data AND they are enforcing major penalties (maximum £20 MILLION fines) for any businesses that doesn’t comply with the rules.

OK so what on earth do you need to do to make sure you don’t get fined. Here’s a comprehensive breakdown what you should implement to make sure “the man” doesn’t come knocking on your door.

1: BE CONTENT AWARE:

Know and understand how you are currently collecting personal data. Go though your business with a fine tooth comb and look at where people are supplying their details to your business. Some places are:

  • Opt ins on your website for a newsletter (Data collected email, name)

  • Opt ins on your website for a giveaway (Data collected email, name, contact number etc)

  • Information collected on your retail POS system (Data collected postcode, address, name etc)

  • Physical paper surveys or contracts filled in (Data collected - all sorts)

You can see from the short list of examples we as businesses collected people’s data on a daily basis in multiple way. So make sure you are fully aware of the ways you collect this information.

2: STORAGE:

With data breaches at Sony and Equifax, 2 massive companies with a ton of system security in place, you may think "well how do I keep my data safe?" Well the point is you need to be showing that you are trying. If you are collecting email address from your website, where are these being stored? Or if you have physical pieces of paper with contact numbers on them, where are they kept? Here’s a few options I use and suggest to make sure all data is stored securely:

  • All of the emails collected from my opt in’s on my website are saved on Mailchimp and Google Docs. This means the security systems in place at Google and Mailchimp are protecting this data and I have shown that I am doing everything in my power to keep people’s data safe.

  • If you are storing details digitally on your laptop (Excel sheet for example) is your laptop password protected, do you have any-virus software, is that sheet with the information locked and/or password protected?

  • Do you have details on physical paper in your office or at home? Client contracts or business addresses? Are these kept in a secure cabinet, under lock and key? Do you have an alarm system? How easy would it be for someone to steal these?

As you can see there are multiple things to think about but as long as you are being careful and showing that you have taken measures to keep this information stored securely you are complying with GDPR rules.

3: DELETING DATA:

How easy it it for you to find and delete any data on someone if they ask for this to be done? Regardless of whether this law was coming into play, everyone should be able to easily ask to be removed off a call list or an email list.

Don’t you agree?

How many times have you asked for your name to be taken off a cold callers list (I had 8 calls in 1 hour the other day, all offering me Web Design packages - at least know your audience !!) Well as of May 25th, it is a legal requirement to comply with removing the data from your files if someone asks. If you don’t they could report you and that's when “that man” could come knocking and issue you with a pretty hefty fine!

There are only 2 rules for this point:

a) Know where all the data is being stored
b) Delete it when asked to

4: PERMISSION GRANTED:

How many times have you signed up to something online and had to check a tick box for the companies terms and condition and how many times have you signed up to something online and NOT have to agree to any terms. Well the latter will soon be against the law. You MUST inform people what you are going to be doing with their data and you MUST get permission to do so. Couple of examples below to help you get this right:

Website:

If you are collecting data online make sure you tell people, at the point they are signing up, what you are using their data for OR provide a link to somewhere where they can read more.

For Example. My site currently has text below the Contact Form and any opt in’s to explain what is happening to there data once submitted along with a link to my Privacy Page for further explanation.

Blanco Digital Studio GPRD Explanation made Easy

This is super easy to add across your site and will take 5 minute to update, so do it now !

* As a side note, I encourage everyone who doesn’t have one yet to write up a Privacy Policy page. Have a read of mine (in the footer) to see what sort of information needs to be added (please don’t copy it !!) *

Offline:

So what about paper contracts and forms? I would recommend adding a section to each which states that “by filling in this form you are agreeing [Company Name] can hold personal information on [Client Name]". Or ask them to sign something to say they understand that you have their data BUT can ask to have it deleted at any time.

5: SHARING IS CARING:

"Be ready to hand over any information you have on that customer when requested within 1 month and free of charge."

This again comes back to the point’s above. Making sure all your data is organised means you won’t have to spend hours searching for it. If you fail to comply with this that customer is well within their rights to complain to the GDPR bodies and this may result in your receiving a black mark and a fine so make sure you share the information when ask and delete when asked. Pay that much more attention to your emails!

6: TRAIN YOUR EMPLOYEES:

Make sure everyone who works for your business, that comes in contact with this personal information, is totally clued up on the rules too. 

It's not good enough to assume they will know this information or tell the authorities it wasn't you that messed up. They are your employees and they represent your business. If they mess up the whole company does so make sure everyone is clued up.

7: CONTACT YOUR EXISTING CLIENTS:

Once this regulation comes into play old and existing data also falls under the scrutiny of this law. So the safest way to not get in trouble is to get in touch with any existing clients, customer, mailing lists and ask them if they are still happy for you to have their data.

Yes this seems like a massive pain in the B*** but trust me, if any one of these clients one day decides they’ve had enough of you sending them offers they don’t want, they may report you.

Bonus tip on mailing lists. Make sure there is an easy way for people to unsubscribe. Mailchimp has a button at the end of their emails which is easy to click and unsubscribes you straight away BUT if you aren’t using anything like Mailchimp and writing and sending the emails from your own account make sure you add a note at the bottom of your email letting people know they can get in touch with you at anytime to unsubscribe from your emails.

 

8: TAKE ACTION:

It’s all fine reading all these tips but if they aren’t implemented by the 25th of May what’s the point?! The point is.. you may get fined !!

Set some time aside to action and implement these points and actually do it. Do it sooner rather than later so it’s done and your not scrambling on the 24th of May.

And some bonus advice because.. why not !

  • If you’re website is managed by someone else get in touch and make sure you have an update booked in.

  • If you know you have 100’s of files laying around… somewhere… start organising them now, filing and put away safely

  • Don’t have a password on your laptop but store personal data? Its time to add one!

  • Don’t need a lot of old data you’ve been meaning to clear out? Now is the right time so get rid of anything you don’t need.

So hopefully if you've taken anything away from this post its that GDPR is not going away and it needs to be dealt with. It's not big and its not scary but taking the time to address it now with save you a major headache in a few months.

Do you have any questions or comments? Pop them into the comments and I'll do my best to answer them or point you in the right direction.

Thanks

Nisha x