Whether you like it or not, there is a huge change coming with regards to how you operate your business. GDPR – General Data Protection Regulation is going to affect all business, from sole traders through to large corporations.
If you collect any data on customers or clients, you will need to address how that data is collected and stored.
These new regulations are really designed to stop the tech giants such as Google and Facebook from selling unauthorised data that they have collated about their users. Unfortunately though it will also affect a lot of other businesses.
What is classed as data?
Under the GDPR changes, the definition of private data includes internet browsing habits collected by website cookies, location data, other online identifiers and genetic data along with the normal things such as email address, phone numbers and bank details etc
If you do collect this data, consent needs to be explicit. The user/client/customer approve this data collection.
This also means that cold call email marketing is a big no no. Great news for most people, but not for business that rely on this advertising method.
So how do you make your business compliant?
Having a new privacy policy and asking users to read them at their leisure is not classed as consent. But there are a lot of simple changes that can make you, your website and your business compliant.
On your website, with your new/updated privacy policy, ensure that potential customers have to intentionally tick a box, and know what they are agreeing too prior to them sending enquiries.
Many business websites use cookies and analytics by default. Under GDPR, you’ll need to lead with explicit consent. This means asking users to opt-in for cookies (no more ‘by using this site you accept cookies’ notices), and ensuring any data is pre-emptively stripped of all personal identifiers before being sent to your analytics tool.
If you keep data on past clients – get rid
Going forward, everyone has the right to be forgotten and removed from any database you hold their information on.
It is now common practice for you to receive ‘unsubscribe’ links from any newsletters etc that you receive. GDPR expands this to include a right to erasure. In other words you have the right to be deleted and forgotten, not just unsubscribed.
As a business you are then required to confirm and delete their personal data, plus take steps to ensure any copies or backups containing their data are also treated.
What happens if you do lose data or there is a breach of your systems?
If you suspect there has been breach of your systems that has accessed clients data, you have 72 hours to report it. Not only will you have to report it to the relevant authorities but you will also have to inform the individuals whose data has been breached.
If you don’t do this or if your found to be non compliant, you can expect a penalty fine of up to 20 million Euros or or 4% of annual
turnover, whichever is greater.
GDPR comes into affect on the 25th May 2018, so if you haven’t already, you need to start making adjustments now.
Review your privacy policies, data collection and marketing methods. If needs be change them.
In the meantime if you are still confused about GDPR, feel free to get in touch with us. We can provide a free systems audit that will help identify any areas that could be venerable and can also supply you with the methods of correcting them.