With the GDPR deadline only 16 days away I thought I’d do a bit of extra research for you, so that if you’re feeling a bit overwhelmed with it all you know where to go for the right guidance and information. Please be aware that everything I put in this post is only information I have gathered from a variety of online sources and it does not constitute legal advice. You must do your own research and get up to speed for yourself. I’m merely here to signpost the way and highlight things you should probably know and need to find out.
The mass of notes on my desk makes me worry that this post could become massive pretty quickly. I will try not to waffle on, but as you can probably guess this is a big topic. But don’t let that put you off – there are some simple steps you can take (as a micro or small business owner) that will put you on course to becoming compliant. And it’s not really that scary.
What is GDPR and why is it a good thing?
The European General Data Protection Regulation is an update to the Data Protection Act of 1998. As you can imagine, issues around data protection have changed significantly during the last 20 years and this legislation is a response to that. Our personal data is being recognised for the valuable asset that it is, and companies are being asked to respect the privacy of individuals and treat our data appropriately. All good things, I’m sure you’ll agree. As the legislation tightens things up it means that we, as customers, have more rights and will able to demand higher standards of our personal data being used, and we are able to make complaints to the governing body (the Information Commissioner’s Office) more easily.
What this means for you, as a person who processes personal data as part of your business, is that you are obliged to meet certain requirements and you are expected to be more transparent about how you use people’s data. This is a great opportunity for you to build trust with your customers/clients and to engage with an audience who genuinely wants to hear from you! It’s also a good time to have a spring clean of your databases and email lists and to take a closer look at how you organise your business – something we often neglect.
Does GDPR apply to me?
There is some information on the web saying that companies with fewer than 250 employees may not be subject to the new legislation. This isn’t true. If you process any sort of ‘personal data’ at all then GDPR applies to you. As ‘personal data’ covers things like names, postal addresses, email addresses, phone numbers etc then I’d guess this is relevant to you. And if you think that you don’t ‘process’ data, well think again. The definition of processing covers anything done to or with data, including (but not limited to) collecting, storing, retrieving. So, that’s all of us who ask for people’s emails, promote our work or sell work online included, then. And, just to be clear: being GDPR compliant is more than just updating email lists – it means understanding all the ways you gather, use and store people’s data. It also means being responsible for the security of that data. If there is a data breach you are responsible for informing the ICO within 72 hours.
Also, please be aware that depending on the types of data you use, how you use them and for what purpose, you may need to register with the ICO and pay a controller charge. You can find out whether you need to do this by taking their online questionnaire.
What should I do? Steps to take now
1. Get familiar with GDPR and understand your position
Here are a few great places to start:
- This introduction to GDPR on the Folksy blog is straightforward, relevant to makers, and gives you some fantastic links.
- I’ve watched this webinar by Suzanne Dibble (“the Small Business Law Expert”) and it’s excellent. She covers all the legal aspects, your obligations and offers a handy action plan. It may be 2.5 hours long, but it is worth it.
- Everything you could possibly need to know about GDPR is on the ICO website. Start with the FAQ to get a general overview or the information for small organisations, and then start exploring their pdfs, guides and toolkits.
2. Understand your existing relationship to personal data
You need to do an information audit, to find out what personal data you hold and how you use it. Ask yourself these questions:
- What personal data do you hold?
What data is necessary to your business? Don’t keep more data than you need.
- Why do you hold it?
There are 6 lawful bases for processing data – which ones apply?
- How did you get it?
Under the new legislation there are higher levels of consent needed – do you meet them?
- How do you use it?
You need to be more transparent about all the ways you use people’s data
- How do you store it and process it?
Personally (on your computer, phone, other devices) Remotely (cloud, 3rd party software) or Physically (files, folders, filing cabinets)
- What security is involved?
You must take reasonable steps to secure people’s data – how secure are your computers, devices, physical storage systems?
These are the sorts of questions your customers/clients are entitled to ask you, so you need to know the answers. If you receive a ‘data access request’ from someone (ie they ask to know what data you hold about them and how you use it), you need to be able to respond within 1 month, so this audit will prepare for that possibility. Create a document with these details.
3. Update your policies
4. Email your mailing list and ask for GDPR compliant consent
This is a bit of a contentious issue for some people. Reading the guidance it could be interpreted that you may not need to get everyone on your list to re-consent, however, it is unlikely that the circumstances in which they signed up were in line with current GDPR requirements (even if you did use software like Mailchimp) as the new requirements are much stricter and involve many elements. It’s better to be safe than sorry and ask for re-consent.
Remember, people have to opt-in. Their consent need to be obtained via ‘clear, affirmative action’. When you contact them to re-consent you must not fall into the trap of saying ‘if I don’t hear from you, I will assume that you wish to remain on the email list’ or something similar. This is not appropriate. They must be given the opportunity to choose Yes to opt back in, or to leave it and have that (non) response be a No.
But, don’t see this as a chore. It could be the perfect opportunity for you to refresh and re-engage with your audience. Yes, there is the possibility that not everyone will choose to opt back in, and you may see your mailing list reduce in size. But – the ones who stay will be the ones who definitely want to be there. See it as a chance to reach the right people, and to focus on developing content that works for your core followers.
Your mailing list software should have guides and how-to’s or step-by-step’s for you to follow to set up a GDPR compliant mailing list and to create an email where people can update their information. Remember – you can only use people’s data for the explicit purpose you say you are using it. So, unless you let people know all the ways you will be contacting them, and all the circumstances, you will not be able to use the data for something else. This means: if you say they are signing up for a newsletter and then you start sending them different emails about sales or products or offers you may be going beyond the consent they have given.
5. Set up good records
The deadline on 25th May is not the end of the story. Once GDPR comes into full force it is an ongoing process to remain compliant. You will need to set up new systems within your business practice to make sure you are doing your obligations. One of the key areas is setting up and maintaining good record keeping. It’s worth keeping all your GDPR documents and information in one central location so you can find it easily. Start keeping records of the following:
- all the data you process (you can use your audit document for this)
- how you obtained people’s consent.
If you use software like Mailchimp they do this for you, but if you collect people’s email addresses in person (say at a show or event) then you must make sure you record how they consented and what information you had given them.
- how often you review your data, consent and policies.
All the data you process must be kept accurate and up to date. This means no storing old emails or details from customers from years ago (unless for legal purposes like tax returns). Don’t keep hold of data for longer than you need to. Good practice seems to be to conduct regular reviews of the data you hold. If you are in the habit of doing quarterly reviews that may be a good time to think about your GDPR compliance, or perhaps doing an annual review at tax return time might work for you.
Some things I have read suggest emailing your list every 6 months to a year letting them know what information you hold and asking them to update anything that has changed (or to request to have their data deleted). That may not be practical for small businesses. But it is recommended that you have an annual or biannual review of consent. Contact all the people on your list and ask them if they would like to continue to hear from you. Remind them that they have the right to opt-out at any time.
It is unlikely that on the 25th the ICO is going to start investigating small businesses. However, the GDPR is legislation that you are subject to and you need to be taking steps towards compliance now. Don’t ignore it – see it as a way to build stronger relationships with your audience and customers, to build trust and to show them that you respect their data and conduct your business in a professional manner.