If you didn’t already know what GDPR
is, then you probably do by now!! There is a strong chance that you have
recently been bombarded with emails and communications from companies trying to
get you to re-sign up to their services.
This is because from 25 May 2018 GDPR
is introduced in the UK. And it has important consequences for all businesses,
both large and small.
So first a very quick introduction to
GDPR. To summarise, the European General Data Protection Regulation (GDPR)
means that businesses need to get consent from their clients to use and store
the personal data they have now, and any they collect in the future.
There are a number of strict rules and
very material fines for offenders who fail to adhere to them. And remember that
GDPR is not just a one-off date. Businesses need to stay compliant from now on.
The new regulations are generally good
for customers. Many businesses, however, face the very real prospect of their
customer databases being decimated and having to implement costly changes to
their processes, privacy procedures and record keeping to avoid large fines.
What do businesses need to do?
Firstly ask what personal data you
currently hold or process. How was it gathered? Where is it stored? What do you
do with it?
Next, check the data consents that you
have in place. You may have given ‘opt out’ options when you collected specific
data (for example from customers), but these are invalidated by GDPR, so using
this data for any purpose where consent is required could lead to prosecution.
You may have to re-obtain consent from individuals where you are unable to
demonstrate that they have given affirmative consent.
Businesses also have an obligation to
make individuals aware of their rights. As part of the data collection process,
consider whether you need to update your privacy policies or T&Cs.
Have a clear plan for what should
happen in the event that you experience a data breach. Understand what data you
hold counts as personal, where it’s kept, who has access to it, your mechanisms
for spotting a breach and who it should be reported to.And although SMEs with
fewer than 250 staff might have a bit more leeway, the reality is companies
which regularly use personal data and contact customers will be subject to the
key GDPR rules. In practice is better to be safe than very sorry. Yes it’s a
distraction. Yes reading and understanding the details of the rules can be
turgid stuff but, yes it is very important.
Review your current data
Businesses need to undertake a comprehensive
review of the current personal data they hold on customers and contacts.
Understand what you hold and where you hold it. Most importantly you need to
understand how you got it. The broad rule of thumb is if you didn’t get
explicit permission from somebody to hold and use particular personal data, you
need to ask for it.
Update your policies and procedures
Make sure you update your ongoing
privacy policies to be GDPR compliant - spelling out how you collect and store
data, what data you will collect and how you will use it. And you need to put
new ongoing data procedures in place. Make sure that you renew permissions from
‘inactive’ customers every year. You need to make sure you can easily access
all the personal data you have on any particular customer if they want to
exercise their rights to be ‘forgotten’ and be deleted from your database.
What constitutes personal data?
Be warned - personal data is defined
very widely. Personal data is more than just a name and email. It can include
anything from an IP address to political leanings and ethnicity. Personal data
can also include data stored on anything from a spreadsheet to a mobile phone -
not just a marketing database.
Make it easy for customers to give
permission
It is good practice to make it easy
for customers to update and change their data and communication preferences.
Staff training on what constitutes personal data and what you can and can’t do
with personal data is also important.
Data from suppliers
Also remember that if you either bring
in personal data from suppliers or they use your customers' personal data to
provide services, you should review the contractual commitments of all the
parties involved, and any practices and policies a supplier may have which
could impact your own GDPR compliance and wider reputation.
Use GDPR to your advantage
It is not all bad news for
businesses. Indeed, GDPR could represent an opportunity rather than a curse.
Once you have sorted out your existing data and found the right and compliant way to process new data, then
you need to see if you can use GDPR to your advantage. In the short-term the
likelihood is the size of the database (that you can legitimately contact) will
shrink significantly - which is why a lot of companies are desperately emailing
you to get your consent to send further communications.
But a bigger database does not
necessarily mean better. Remember that after GDPR you will have a contact base
of customers that really want to engage with you and hear from you.
If you target these customers in the
right way they can be far more valuable to you than a huge database of people
who can’t remember why or how they signed up to your services in the first
place and continue to ignore (or get angry about) your communications. Your
loyal customers can be crucial advocates and supporters for you if treat them
correctly.
Promoting the fact that you are a GDPR
compliant business, to your current and future customers, can be a great way to
win business instead of losing it. If you can demonstrate you take personal
data seriously and treat customers with respect then they will respect you more
for it. Smart companies can use GDPR to win business by cherishing, nurturing
and engaging with their valued customers - which after all is what good
business should be all about!
How to get more information
It is tempting to think that new
European rules don’t apply to your business. But they do, and they are likely
to remain in force after Brexit. The Information Commissioner's Office has a
wealth of information to help businesses - including a free guide about how to
prepare for GDPR.