After chatting to quite a few small business owners and start ups I have noticed some real confusion and panic about the GDPR legislation coming into force in a few days. In my opinion there really is no reason to be overly worried, the sun will still rise!
A few simple checks and changes will more than likely get you in shape unless you have been doing things badly from the outset. GDPR is not a bad thing, it is just an extension of what you should actually be doing already and tie into your existing business processes.
Consultants seem to be coming out of the woodwork and will try to make you scared of fines etc to hire them... do not be swayed into anything! There is no need to panic as even though there is a date that it comes into force there will be a period of adoption and if you are seen to be making efforts to comply then you will be helped rather than punished. Far better to get it right and take a bit longer than rush.
Yeah but what do I actually need to do? #
In its simplest terms you need to show a lawful basis for gathering and storing peoples info, this is covered by the ICO and is defined as follows:
Consent - the individual has given clear consent for you to process their personal info for a specific purpose e.g. subscribe to a newsletter..
Contract - it is necessary for a contract you have with the individual, e.g. selling a product or service.
Legal Obligation - it is necessary for you to comply with the law.
Vital interests - it is necessary to protect someone's life, such as the NHS.
Public task - it is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests - it is necessary for your legitimate interests, if there is a less intrusive way to do this then this would not stand.
(source : ico.org.uk .... currently down as of 24th May! )
In many cases the contractual or legitimate interest would apply first, asking users for consent on every little thing is a terrible user experience and people will soon become blind to it.. Just like those annoying cookie pop ups!
Look at any areas you think you need consent, do you already have it? If so this can be documented rather than asking your users for it again.
Creating your GDPR Policy Document. #
Step 1 #
Produce a document that explains what info you collect, how and where you store it and who has access to it. You should include information on staff here to or links to any internal documents. Once you have detailed this you can add in the extra requirements for GDPR such as how you’ll delete subscribers if they request this or how you will supply the info you hold on a user. The document could cover the following:
What are you collecting? #
People talk about ‘Big Data’ and gathering everything you can about your users. The reality is with the changes in regulations it may make sense to consider what information you actually need from your customers. The more information you hold, the bigger the ramifications are in terms of managing it.
How are you collecting it? #
Make sure you using the correct language or opt ins on forms, remember they checkbox cannot be pre ticked or the question worded in a confusing way. The user has to consciously opt in to you using their data. It goes without saying that you should not be obtaining email addresses in an incorrect way from dubious bought lists or harvesting from the internet.
Where is it stored? #
Look at how you store your customers information. Is it held somewhere with limited access or can the whole organisation access it? Do you keep it all in one place and away from devices that could be lost or easily stolen.
Back ups are included in the GDPR legislation, there will be cases where retrieving the data is an issue. The regulations state that you must take reasonable steps with regards to the available technology, cost of implementation and other technical measures.
Step 2 #
Check over any marketing emails to ensure that they have an unsubscribe link, this is a given really and should be adhered to already.
Step 3 #
Step 4 #
Ensure any data capture points on your website have an opt in or that the opt in process aligns with GDPR requirements.
Away from the website #
You may need to speak to your legal team to make sure of your obligations outside of the website depending on your type of business.