Getting to grips with GDPR

Getting to grips with GDPR

A week off work had prompted me to force myself to spend at least a few hours focusing on the spectre that is GDPR. It’s omnipresent, my Facebook feed is filled with posts about it, as is LinkedIn and Twitter and my clients are looking to me for reassurance. So, I feel a sense of responsibility to learn as much as I can, to at least be able to guide them in the right direction.

I must first point at that as with all knowledge, it is second hand knowledge... What we learn we must learn from someone else. I have followed Suzanne Dibbles Facebook group, watched many of her webinars and videos as well as consumed as much information as possible online, so what I am sharing is my take on everything I’ve learnt.

So, here goes...

We all need to be GDPR compliant by 25th of May 2018. Yes that feels soon, but it has been two years in coming so it shouldn’t come as a surprise to any of us.

What can happen if we bury our head in the sand and pretend it’s not relevant to us? Well, there are potential fines of up to 4% of your global turnover but, in fairness, this is probably some way down the line for those that refuse to comply and blatantly disregard the regulations. ore importantly, I feel, as we move forward, consumers who are unhappy with the way their data is being processed / handled will not only be able to complain, they will also be able to claim compensation. In a society that seems to have developed a passion for compensation claims, this is a big worry. Over and above this, if you do not handle peoples data in the most professional manner possible, you risk damaging your own professional reputation.

If you as a small business owner are aware of GDPR then you can bet your bottom dollar that the man on the street is aware of it, and they will not hesitate to complain to the ICO going forward if they feel their data is being "abused".

So this is the end of marketing as you know it, right?

No, not at all. There has been a data protection regulation in place for years and all this is doing is tightening up on that. You should never have been scraping email addresses off websites, you should never have been spamming people with unsolicited emails, so if you’ve been doing that then STOP IT right now! Think of GDPR as an opportunity to clean your database, ensure that your marketing is more targeted (because you will be marketing to people you KNOW are interested in you / your product / your service) and see an increase in your engagement with your audience.

What's what?

Personal data is exactly what you think it is - name, phone number, email address etc. Processing data is collecting it, storing it, holding it, using it etc.

The key message throughout the changes being brought about by GDPR is TRANSPARENCY.

  • Tell people what you are doing with their data.
  • Use the data for the specific purpose that you have obtained it for.
  • Only take the details you need and only keep the data as long as you need it.
  • Hold the data securely.
  • Be clear in your Privacy Policy about your data usage.
  • Use a recognised GDPR compliant third party, like Dropbox.
  • If you are a business that holds hard copy data, ensure that you keep that secure too - locked filing cabinets etc.

Legal grounds for processing data

There are various legal grounds for processing data, but the ones we need to really think about are consent, contract and legitimate interest.

Consent must be a clear, affirmative act and should be as detailed as possible. Do not bundle consent, be as granular as possible and give options that people can consent to.

One of the big questions that many business are asking is “do I have to get consent from my existing list”.

I have seen many contradicting answers to this question, and here is my answer...

You do not have to get consent from your existing list IF you can show that the original consent you have from them is GDPR compliant consent.

As such, my honest answer is, yes, you do need to go back and get consent from your existing list to carry on holding and using their data. Why do I say this? Because I think it is HIGHLY unlikely that most businesses have been using GDPR compliant consent prior to the GDPR regulations being brought in. So yes, your contacts may have opted in to your list, but it is unlikely that the opt in falls in line with the new regulations.

Now is the time to create and run a re-engagement campaign, refresh your contacts consent and remind them that they have the right to withdraw their consent at any time.

The onus of proof of consent lies with you, the data controller. You must be able to show what your contacts have consented to, when and how they consented.

Contract covers the right to hold data for delivery of goods or services, and also for employees.

Legitimate interest is the trickier one. This seems to be the heading that marketeers were going to hang their hat on but unfortunately you DO still need consent for marketing.

For legitimate interest to come into play, there must be a “relevant and appropriate” relationship - so for example if a customer has purchased a product and you are emailing them about an upgrade to this product or some additional user details.

Your responsibility

As a business or business owner processing data, you are ultimately accountable and are the “data controller”. There is a fee payable (some companies are exempt so please do check) which is a Data Controller charge and ranges from £40 to £2900. If your organisation has over 250 employees then you will need to designate someone as Data Protection Officer and they will be responsible for data protection compliance.

What to do now

If this all feels like information overload then my suggestion to you would be to break it all down now.

Head to the ICO website and ascertain what Data Controller fee you are liable for and pay that.

Ensure that all data processors you use guarantee compliance with GDPR (payroll handlers, email marketing software etc).

Assess what data you hold, where it came from and how you use it.

Decide how you are going to refresh consent. You may even decide (if it’s historical data that you don’t use / don’t need) to destroy all old data and start afresh with GDPR compliance.

Organise your re-engagement campaign and ensure that all of your optins and sign ups are GDPR compliant. Email your list and ask for GDPR compliant consent and share your privacy policy with them.

Make a record of your new policies and procedures so that every time a new lead magnet is created or a new email marketing campaign is built, you know that all elements will be GDPR compliant.

Ensure that you have a system in place to cover the rights of the subjects. People can now request the data you hold on them for free and these requests must be actions within one month of receipt. The contact has the right to rectify and erase the data held.

Review or create your privacy policy

Put systems in place to ensure that you are able to keep record of consent from your contacts.

I hope that you find this breakdown useful. It is by no means all encompassing, and I’m fully aware that there are more areas to be covered (cookie policies, t&c’s etc) but I am sharing with you what I have learnt so far and if it saves you a few hours of scouring videos, podcasts and blogs then in a small way I have been useful!

Susan Cave

Providing professional virtual assistance with exceptional organisational skills

6 年

Well written, Jo-Anna. :). Thank you for sharing.

Tracy Short ?

Helping Senior Execs & Leaders land dream jobs with style and confidence. Career ACCELERATOR | 1:1 Job Search Consultant | Headhunter Success Strategies | The NEXT CHAPTER Personal Coach for Leaders

6 年

I agree most of it is common sense. Do you think small business owners need to pay for advice or is it all work-out-able?

Nadine Le Ma?tre Powrie, MA, NPQH, ACC, Assoc CIPD

Redefine your leadership impact, one conversation at a time | A trusted space to pause, to rethink, and to be challenged | Bilingual (French & English)

6 年

Thanks for such a comprehensive article ??

Catherine Gladwyn

Taking women from employment to enjoyment and beyond. Let me show you how to become an in-demand Virtual Assistant - VA Mentor since 2018 and Multi-Award Winning Bestselling Author

6 年

This absolutely brilliant. The most engaging easy to read post about GDPR I've seen. Thank you

要查看或添加评论,请登录

Jo Francis的更多文章

  • Should you sign up to Infusionsoft / Keap?

    Should you sign up to Infusionsoft / Keap?

    I can’t write a blog without dedicating at least one article to Infusionsoft, or Keap as it's now known. It took a…

    1 条评论
  • What it’s like to be on the “other side”...

    What it’s like to be on the “other side”...

    With Janet Murray as one of my key clients, organising fantastic live events is part of my working day. And being…

    21 条评论
  • Should you sign up to Infusionsoft?

    Should you sign up to Infusionsoft?

    I can’t write a blog without dedicating at least one article to Infusionsoft. It took a while for me to find my niche…

  • Is GDPR the new Y2K?

    Is GDPR the new Y2K?

    I wasn’t running my own business at the start of the millennium but I do remember the furore. The underlying panic…

    3 条评论
  • Thinking about working with a VA?

    Thinking about working with a VA?

    I get a lot of people ask me, tentatively, about working with a VA. Not always because they’re looking to work with me…

    1 条评论
  • How to find a VA

    How to find a VA

    So you know you need some help and you know you don’t want an “employee” but you do want someone that you’re…

    7 条评论
  • How not to find a VA

    How not to find a VA

    I recently saw a post, in a Facebook group for entrepreneurial types, from someone looking for a VA. I glanced through…

    19 条评论
  • Why are you a VA?

    Why are you a VA?

    After six years in business and writing numerous blogs for my wide variety of clients, I’ve decided to finally share my…

    6 条评论

社区洞察

其他会员也浏览了