As you will be aware GDPR comes into force on 25th May 2018. For those that do not know what it is the ‘General Data Protection Regulations’?
The new regulations are being implemented as much has changed since the existing data protection laws and regulations were created in the 1990s. As a society, we are creating vast amounts of digital information each day and the laws that govern our personal information are no longer fit for purpose.
GDPR is therefore being introduced to protect individual’s personal data and how it is stored and used.
Below is my guide of ‘the activities that you need to undertake’ to identify and document the data you hold:
You need to identify the data you currently store, where it’s held, how it’s processed and who has access to it. Document this information as thoroughly as possible.
There are two types of data that Companies hold; Personal - any information relating to a person who can be directly/indirectly identified; Sensitive; “special categories of personal data”. The special categories specifically include genetic and biometric data where processed to uniquely identify an individual.
GDPR applies to both automated/manual filing systems where personal data is accessible.
Check your consent procedures - under GDPR; consent for any data processing has to be specific, transparent and auditable. The consent has to be simple to understand and easy to withdraw.
Be aware that under the new requirements for consent you will have to approach current data subjects (for example email subscribers) again to request new permission to use their data.
Under the new regulations, you have to keep clear and transparent records of all consent taken, establish simple methods to allow the data subjects to withdraw their consent and regularly review your procedures to keep up to date with any changes in processing activities.
My recommendation would be to get your clients to opt-in or opt-out to you holding their data. Do not take it for granted that if someone requested to be on your client database in the past, they still want to be included and also do not rely on the ‘subscribe or unsubscribe’ that you may have at the bottom of your emails.
The easiest way to do this is to capture all the information on mail-chimp, CRM or a similar database. Send your clients an email asking them if they still wish to receive information from you and get them to opt-in or opt-out. This needs to be done twice to gain double opt-in from those that wish to remain. If email recipients do not respond after several attempts, I would recommend taking them off your list.
Anyone that opts out cannot be contacted again and therefore if you use a database the opt-in and outs can be logged to have an effective audit trail of the personal information.
Please note: moving forward, anyone that you may meet at networking events, who give you a business card, their details cannot be added to your database unless they have explicitly given you permission to do so.
Under the regulations it states the need for a data protection officer; in essence you as the MD of an SME.
You will also need to ensure that you have a procedure in place for detecting, investigating and reporting breaches of data. This will either be your security firewall etc. or through an external IT provider.
It is important not to be blasé and ensure that you are compliant by the 25th May as non-compliance of GDPR could result in a fine of up to €20 million or two per cent of a firm's global turnover (whichever is greater).
No doubt moving forward GDPR will have an impact on a wide range of marketing activities and it is therefore important that you are ahead of the game and get all of the above in place prior to May.
Heather Scales, Heartbeat HR Ltd