If you gather personal data about customers, employees or suppliers. Then reading this article is inevitable. Because the new GDPR Regulation law could get you at risk of a fine of 20 million euros!!!
GDPR Regulation, a new law that’s coming into effect on the 25th of May 2018. Is going to change how we store and use data, and they’re going to be pretty strict on it.
You could get a fined of up to 20 million euros. Make sure you’re doing everything that complies with GDPR Regulation.
The problem is that a lot of information out there about GDPR regulation is vague and full of legal jargon and it’s confusing.
How do you know how to be compliant with GDPR Regulation?
Luckily we broke it down into ten tips. You need to know to make sure you’re compliant to all the new laws. These new GDPR regulation have come out. Since the last time, data protection laws were implemented in the nineties. Since then, there’s been a boom in technology. Things like the internet and people feel they’ve lost control of how their data is processed and stored. So the GDPR regulation, a definite something. Because they’re allowing the everyday person to take back control of what data people have on them. To ensure you’re compliant with GDPR Regulation, the first thing you need to know is what data do you have on people, which leads me to tip number one.
1. Data record
Store all of the information you have on your employees, suppliers, and customers in an organized way. This is going to be helpful for two reasons:
First, if a person asks, hey business what information do you have on me? You have to be able to get all of that information to them as quickly as possible. As accurately as possible to make sure all the data you have organized so you can do that.
Second, if you were ever to be investigated by the GDPR Regulation, you want to ensure you’re showing that you know what data you have on everyone. So store it in an organized way.
Now, what is data?
Well, personal data is any bit of information you could use on its own or with another bit of information to identify a person. That’s going to include their name, their phone number, photos of them, their IP address. Make sure you know what data you have on people and identify what that is.
2. Make sure the information is safely secured.
So what measures have you got in place to make sure that nobody could leak hack or misplace that data?
If you’re storing that data digitally:
What security measures could you put in place?
Could the information be up there in the cloud?
Do you have antivirus software on all of your devices?
If any of your devices get lost, could you remotely wipe that data so nobody could access it?
Start thinking about these things, because you want to make sure your data is always in safe hands. Similarly, if you have hard copies of your data, what are you doing? Are you securing that safely? Is it locked away? Is it in a fireproof box? are you making sure that no one could access that information who shouldn’t be you? Also, you want to make sure you record in the risk assessment.
So actually write down what safety measures you’ve gone to make sure that data is safe.
Is going to make sure everybody in your team knows entirely what’s happening and you should ever do research. And proving that you’re showing that you’ve already taken necessary precautions.
3. GDPR Regulation Compliant.
Don’t hold on to data unnecessarily, so this is a big one that’s coming to their new laws.
You can’t hold on to data if you don’t know what you’re going to do with it, you need to be entirely sure of why you’ve got someone’s name or email address so don’t hold onto data just in case it might become handy in the future.
4. Fair processing policy
It’s a document that clearly explains what data you’re going to be taking from people and how you’re going to be using it.
Every time somebody hands over a bit of data to you, you want to make sure that they have transparent access to your fair processing notice.
GDPR Regulation have asked that this fair policy notice has no jargon and legally and waffly bits in there that could be ambiguous, so start with a blank piece of paper and just in layman’s terms say what are you gonna do with that information, when writing this document, here are some questions to keep in mind:
- What information gets collected?
- Who is collecting it?
- How is it being collected?
- Why is it being collected?
- How is it going to be used?
- With who will have access to it?
- About the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
5. What information are you collecting?
If somebody asks what information do you have on me? Do you have a process so that you can easily give that to them?
So with the new GDPR Regulation, you have to be able to supply people with what information you have on them if they ask. You have to provide this information within one month from the asking.
And you have to do it free of charge, so make sure you’ve got a process ready that you can quickly get all the information you have on them and send that over to them.
Have a process in place where if someone asks you to delete all their data, you can.
So if someone asks you to delete all the data, so you have to. That’s part of the new law so make sure you know where all of the information you have on them is, so you can easily wipe that.
Now, about marketing and how the GDPR Regulation is going to affect that!
7. Personal Data for Marketing purposes.
Allow people to positively opt-in to you, having their data and using it for marketing purposes. So what does this mean?
It means, that if you’re going to use someone’s data for marketing, they have to take some action to say, yes you can have my data, and yes you can use it for these reasons. That’s known as
Used to be that you would go on to a website and there would be a pre-ticked box that says, yeah you can use my data for whatever. That’s not the case anymore.
People have to tick that box or take another action actively. Some good examples of getting people to positively opt-in have a tick box next to a contact form that says, yes you can use my data, and someone has to take that or to have a double opt-in.
When an email comes through to their inbox that says, click this button to be part of our mailing list. All so that we can use your information for X Y.
If you’re collecting people’s information in person, you could get them to sign something to say that they’re happy for you to use their data in this way or you could get them to take a box that means I’m so glad for you to do this, whatever it is.
Make sure that someone is taking action and you have evidence that they did that.
8. Layered opt-in forms.
Something the GDP Regulations are of simplifying with and something I like.
This layered opt-in form allows users to have easy access to understand their information and how it’s going to preserve, but it doesn’t look messy. Instead, they can click on a button and delve into more details. Once the person approves how you’re going to use it.
9. Create an easy way for users to opt out.
If you’re using people’s information to send them marketing, make it easy for them to opt out of it.
If you’re using emails, you need to make sure people can unsubscribe, same with things like text messages and call services. Similarly, if you’re sending people mail, make sure that you’re writing something at the bottom that tells them how they can stop receiving this mail.
The information for opting out should be unambiguous and obvious, don’t use any small print. Also, make sure you have a rigorous policy on how you’re going to make sure someone that opt-out doesn’t get any more marketing materials from you.
Where you could fall short to GDP Regulation, our law, and get reported, and that’s when their twenty million euro fines are going to come knocking at your door, which we don’t want. So you need that policy if someone doesn’t want to receive anything anymore make sure everyone in your team knows that and then no longer accepting it.
10. Make sure all your team knows about the new GDPR Regulation.
I would put this in an email, again to show GDPR Regulation that you’ll be in very conscious of the laws.
Train all of your employees on everything we’ve spoken about today because it’s just as important that they do it, so your whole business isn’t liable for extra security.
I would also appoint you or someone in your team to be the Data Protection Officer and make sure you’ve got this in writing. Meaning that a person is responsible for enforcing all the tips we’ve spoken about today.
Give a one person total responsibility means that these tips are much more likely to get enforced because their checks and balances are replacing your business.
Now, here are all the tips that you want to go and implement straight away because the twenty-fifth of May is coming up soon, but we’ve also been talking to a
lot of our customers about GDPR regulation and some questions keep coming up time and time again, so I will try and answer them for you.
GDPR Regulation, Main Questions Answered:
What if I want to buy data? How do I ensure that that is GDPR Regulation compliant?
Great question, well if you’re going to buy data may be like a big list of everybody’s email addresses or phone numbers. You need to ensure that the person that you’re buying that information from has been GDPR Regulation Compliant.
You also need to make sure that every single person on that list has actively opted in to receive information or have their data stored by a third party. So make sure you check with the person you’re buying this information.
Can I pass on the data I have on my employees, suppliers, and customers to the new business owner?
In this case, you want to have an Assignment Clause within your fair processing notice. The Assignment Clause should clearly state that if somebody else were to buy your business, the new business owner would have all that data that you’ve collected on someone, they will then own it and use it for the same purposes that you have.
You also want to make it clear to the new business owner, this means what we said we were going to use the information for and you can’t use the information for anything else unless you contact everyone again and ask them to positively opt-in.
All of the existing data I have on people? Can I keep this after the 25th of May?
So when the new laws come in, you need to make sure that everybody that you have information about consents to that.
Your safest bet is to contact all of your existing databases and explain that the law is changing. That they need to positively opt back in to be able to receive emails from you. For you to continue to have their data etc.
How you choose to execute that, is entirely up to you. I think the two most natural options are just asking everyone to email you back saying, yes I’m okay with that. Or ask them to click on a link that allows them to tick a box to say: Yes I’m fine with all the new laws changing and I’m fine for you to store my data still.
In short, you, are going to need to contact everyone. They are going to have to opt back in for you to keep their data positively. I hope you found these tips useful.
If you’ve got any more questions, comment below. We will try and answer them to the best ability we can.
Share with me know in the comments below how you’re getting ready for the new GDPR Regulation law and love to hear more tips that we can share.
Now, a small disclaimer:
All of the information I’ve given today is entirely my interpretation of the confusing legal jargon there is out there about GDPR Regulation, and this is my interpretation, and I am NOT a legally trained at all.
So do go and do your research because the information I’m giving is merely advice. Now it took me a long time to put all these tips together. I’d appreciate you share with others this article. That means more people will get to read this article and be able to be GDPR compliant.
So leave a comment below and share, I cannot wait to write you another GDPR Regulations article!!!