10 tips you need to know to make sure you are GDPR compliant

The new General Data Protection Regulations (GDPR) have totally changed how we store and use data. If you have data about your employees, suppliers or customers and you do not follow the new regulations you could get fined up to 20 million Euros. So make sure that you are doing everything in order to be compliant with GDPR.

The problem is that a lot of information out there about GDPR is full of legal jargon and it can be confusing. So, I have broken it down into 10 tips you need to know to make sure you are GDPR compliant.

The reason these new GDPR laws have come about is because the last time data protection laws were created it was the nineties. Since then there's been so much advancement in the technology, like the internet, smartphones, social media, email etc. and people feel that they've lost sight of how their data is being used and stored. So the GDPR law is a positive thing because it allows the people to take back control of what data companies/businesses have on them. To make sure you are compliant with GDPR the first thing you need to know is what data do you have on people and that leads me to tip number one.

1.      Store all of the data you have on your employees, suppliers and customers in an organized fashion. This is going to be helpful for two reasons.

The first is that if a person asked you what information do you have on them you want to be able to get all of that information to them as quickly as possible and as accurately as possible. Second reason is that if you were to ever be investigated by the GDPR you want to make sure that you are showing that you know what data you have on everyone.

So store data in a really organized way.

What is meant by data? Well, personal data is any bit of information that you could use on its own or with another bit of information to identify a person. So that's going to include their name, their phone number, their photos, their IP address, email address etc.

So make sure you know what data you have on people and identify what that is.

2.      Make sure that data is safely and securely stored.

What measures have you got in place to make sure that nobody could leak, hack or misplace that data? If you are storing that data digitally, what safety measures could you put in place? Could the information be up there in the cloud? Do you have antivirus software on all of your devices? If any of your devices were lost could you remotely wipe that data so nobody could access it?

Start thinking of these things because you want to make sure your data is always in safe hands. Similarly, if you have hard copies of your data, what are you doing with that? Are you securing that safely? Is it locked away? Is it in a fireproof box? Are you making sure that no unauthorized person could access that information?

You also want to make sure that you make record of your risk assessment. So actually write down what safety measures you've gone to make sure that data is safe. This is going to make sure that everybody in your team knows exactly what's happening and should you ever be investigated you are showing that you've already taken necessary precautions.

3.      Do not hold on to data unnecessarily. So this is a big one that's coming with the new laws. You can't hold on to data if you do not know what you are going to do with it. You need to be totally sure of why you've got someone's name or email address. So do not hold onto data just thinking it might become handy in the future.

4.      You want to have a really clearly written ‘fair processing policy’. This is something you are likely to already have. This is a form of a privacy policy so something you might already be familiar with. All it is is it's a document that really clearly explains what data you are going to be taking from people and how you are going to be using it. Every time somebody hands over a bit of data to you make sure that they have clear access to your fair processing notice. GDPR have asked that this fair policy notice should have no jargon and difficult legal bits that could make it ambiguous. So start with a blank piece of paper and in layman's terms say what are you going to do with that information, then write it down in this document, in plain English.

Here are some questions to keep in mind:

a.      What information is being collected?

b.      Who is collecting it?

c.      How is it being collected?

d.      Why is it being collected?

e.      How is it going to be used?

f.       Who will it be shared with?

g.      What will be the effect of this on the individuals concerned?

h.      Is the intended use likely to cause individuals to object or complain?

5.      If somebody (a SUBJECT) asks what information do you have on them, do you have a process by which you can easily give them an answer?

With the new law you have to be able to supply people with what information you have on them. If they ask, you have to supply this information WITHIN ONE MONTH of them asking for it. And you have to do it free of charge. So make sure you've got a process in place so that you can quickly get all the information you have on them and send that over to them.

When someone asks you about what information you have on them, it is called ‘Subject Access Request’ or ‘SAR’.

6.      Have a process in place where if someone asks you to delete all their data you can. So if someone ask you to delete all their data, you have to. That is part of the new law. So make sure you know where all of the information you have on them is so you can easily wipe that.

7.      Let people unambiguously opt-in, giving you permission to having/keeping their data as well as using it for marketing purposes. This means that if you are going to use someone's data for marketing they have to take some sort of action to say, “yes, you can have my data and yes, you can use it.”

For these reasons that's known as positively opt-in. It used to be the case that you would go on to a website and there would be a pre ticked box that says yeah you can use my data for whatever, that's not the case anymore. People have to actively tick that box or take another action. Some good examples of getting people to positively opt-in is having a tick box next to a contact form that says yes you can use my data or to have a double opt-in. This is when an email comes through to their inbox that says, “click this button to be part of our mailing list so that we can use your information for X Y.”

If you are collecting people's information in person you could get them to sign something to say that they're happy for you to use their data, or you could get them to tick a box that says. “I’m happy for you to do this.” Whatever it is make sure that someone is taking an action and you have evidence that they did that.

8.      Try layered opt-in forms. This is something the GDPR is simplifying with and something I really like. So they look a little bit like a layered opt-in form which allows users to have easy access to understand how their information is going to be used but it doesn't look messy. Instead they can click on a button and delve into more information if they'd like to know how you are going to use it.

Many websites use a link to a privacy statement. Some do this better than others. If you choose to do this you should place the link near the subscription sign up, or bring some attention to it, to allow people to read it if they wish to. You must also ensure the link takes users directly to the privacy statement, and doesn’t become an obstacle to the sign up process.

When a link to a privacy statement is not located near the newsletter sign up people are unlikely to know the policy even relates to the sign up, reducing the chances of them clicking on it and informing themselves of how their data is going to be used.

9.      When using people's information to send them marketing material make it really easy for them to opt out of it.  If you are using emails you need to make sure people can unsubscribe easily. Make sure that you are writing something at the bottom that tells them how they can stop receiving further emails. Same with things like text messages and call services.

The information for opting out should be really clear and really obvious. Do not use any small print. You must have really strict procedures to ensure that once someone opts-out they do not get any more marketing materials from you. This is where you could really fall short to GDPR law and get reported. And that's when the twenty million euro fines are going to come knocking at your door which you do not want.

So have strict procedures that if someone doesn't want to receive anything anymore make sure everyone in your team knows that and they no longer receive it.

10.  Make sure all your team know about the new GDPR laws. I would actually put this in an email again just to prove to ICO that you have been very conscious of the laws. Train all of your employees on everything I have mentioned above. It is just as important that they do it so your whole business isn't liable. To be extra safe I would also appoint you or someone in your team to be the data protection officer and make sure you've got this in writing. This means that one person is responsible for enforcing all the tips you read today. Giving one person total responsibility means that these tips are much more likely to get enforced.

Now they are all the tips that you want to go and implement straight away.

Some other questions:

What if you want to buy data, how do you ensure that it is GDPR compliant?

If you are going to buy data, maybe like a big list of everybody's email addresses or phone numbers, you need to make sure that the person that you are buying that information from has been GDPR compliant. You also need to make sure that every single person on that list has actively opted in to receive information and/or have their data stored by a third party. So make sure you check with the person you are buying this information from.

What if you want to sell the business in the future can you pass on the data you have on your employees suppliers and customers to the new business owner?

In this case you want to have an assignment clause within your fair processing notice. The assignment Clause should really clearly state that if somebody else was to buy your business the new business owner will have all that data that you've collected on someone. They will then own it and use it for the same purposes that you have.

You also just want to make it really clear to the new business owner what you had mentioned in your fair processing policy how you were going to use the data and that is only what he/she can use it for.

The information I've given today is totally my interpretation of the legal jargon there is out there about GDPR and on the ICO website. This is just my interpretation and I am NOT legally trained at all, so please do go and do your own research.