If you have data about your customers, employees or suppliers then read this article because a new GDPR Regulation law means that you could be at risk at getting fined 20 million euros!!!
GDPR Regulation is a new law that’s coming into effect on the 25th of May 2018. This is gonna totally change how we store and use data, and they’re gonna be pretty strict on it.
You could get fined up to 20 million euros, so make sure that you’re doing everything so that you’re compliant with GDPR Regulation.
The problem is that a lot of information out there about GDPR regulation is vague and full of legal jargon and it’s confusing.
How do you know how to be compliant with GDPR Regulation?
Luckily we broke it down into 10 tips you need to know to make sure you’re compliant to all the new laws. The reason these new GDPR regulation have come about, is because the last time data protection laws were created was in the nineties, since then there’s been a boom of technology, things like the internet and people feel that they’ve lost control of how their data is being used and stored, so the GDPR regulation, a positive thing, because they’re allowing the everyday person to take back control of what data people have on them,
To make sure you’re compliant with GDPR Regulation, the first thing you need to know is what data do you have on people and that leads me to tip number one.
1. Data record
Store all of the data you have on your employees, suppliers and customers in an organized way, this is going to be helpful for two reasons:
First, if a person ask, hey business what information do you have on me? you want to be able to get all of that information to them as quickly as possible and as accurately as possible so make sure all the data you have is organized so you can do that.
Second, if you were to ever be investigated by the GDPR Regulation, you want to make sure that you’re showing that you know what data you have on everyone, so store it in a really organized way.
Now, what is data?
Well personal data is any bit of information that you could use on its own or with another bit of information to identify a person, so that’s going to include their name, their phone number, photos of them, their IP address. Make sure you know what data you have on people and identify what that is.
2. Make sure the data is safely secured.
So what measures have you got in place to make sure that nobody could leak hack or misplace that data?
If you’re storing that data digitally:
What safety measures could you put in place?
Could the information be up there in the cloud?
Do you have antivirus software on all of your devices?
If any of your devices were lost, could you remotely wipe that data so nobody could access it?
Start thinking of these things, because you want to make sure your data is always in safe hands, similarly if you have hard copies of your data, what are you doing? are you securing that safely? is it locked away? is it in a fireproof box? are you making sure that no one could access that information who shouldn’t be you? also you want to make sure you record in the risk assessment. So actually write down what safety measures you’ve gone to to make sure that data is safe.
This is going to make sure everybody in your team knows exactly what’s happening and should you ever be investigated, you’re showing that you’ve already taken necessary precautions.
3. GDPR Regulation Compliant.
Don’t hold on to data unnecessarily, so this is a big one that’s coming to their new laws.
You can’t hold on to data if you don’t know what you’re going to do with it, you need to be totally sure of why you’ve got someone’s name or email address so don’t hold onto data just in case it might become handy in the future.
4. Fair processing policy
It’s a document that really clearly explains what data you’re going to be taking from people and how you’re gonna be using it.
Every time somebody hands over a bit of data to you, you want to make sure that they have clear access to your fair processing notice.
GDPR Regulation have asked that this fair policy notice has no jargon and legally and waffly bits in there that could be ambiguous, so start with a blank piece of paper and just in layman’s terms say what are you gonna do with that information, when writing this document, here are some questions to keep in mind:
What information is being collected?
Who is collecting it?
How is it being collected?
Why is it being collected?
How is it going to be used?
Who will it be shared with?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?
5. What information are you collecting.
If somebody asks what information do you have on me?, do you have a process so that you can easily give that to them?
So with the new GDPR Regulation, you have to be able to supply people with what information you have on them if they ask. You have to supply this information within one month from the asking.
And you have to do it free of charge, so make sure you’ve got a process in place so that you can quickly get all the information you have on them and send that over to them.
Have a process in place where if someone asks you to delete all their data, you can.
So if someone ask you to delete all they data, so you have to. That’s part of the new law so make sure you know where all of the information you have on them is, so you can easily wipe that.
Now, about marketing and how the GDPR Regulation is going to affect that!
7. Using data for Marketing purposes.
Allow people to positively opt-in to you, having their data and using it for marketing purposes. So what does this mean?
It means, that if you’re going to use someone’s data for marketing they have to take some sort of action to say, yes you can have my data, and yes you can use it for these reasons. That’s known as
It used to be the case that you would go on to a website and there would be a pre ticked box that says, yeah you can use my data for whatever. That’s not the case anymore. People have to actively tick that box or take another action. Some good examples of getting people to positively opt-in is having a tick box next to a contact form that says, yes you can use my data, and someone has to take that or to have a double opt-in. This is when an email comes through to their inbox that says, click this button to be part of our mailing list. All so that we can use your information for X Y.
If you’re collecting people’s information in person, you could get them to sign something to say that they’re happy for you to use their data in this way or you could get them to take a box that says
I’m happy for you to do this, whatever it is.
Make sure that someone is taking an action and you have evidence that they did that.
8. Layered opt-in forms.
This is something the GDP Regulations are of simplifying with and something I really like.
This layered opt-in form allows users to have easy access to understand their information and how it’s going to be used, but it doesn’t look messy, instead they can click on a button and delve into more information. If they’d like about how you’re going to use it.
9. Make it easy for users to opt out.
If you’re using people’s information to send them marketing, make it really easy for them to opt out of it.
If you’re using emails, you need to make sure people can unsubscribe, same with things like text messages and call services. Similarly if you’re sending people mail, make sure that you’re writing something at the bottom that tells them how they can stop receiving this mail.
The information for opting out should be really clear and really obvious, don’t use any small print. Also, make sure you have a really strict policy on how you’re gonna make sure someone that opt-out doesn’t get any more marketing materials from you.
This is where you could really fall short to GDP Regulation, our law, and get reported, and that’s when their twenty million euro fines are gonna come knocking at your door, which we don’t want. So you need that policy, if someone doesn’t want to receive anything anymore make sure everyone in your team knows that and then no longer receiving it.
10. Make sure all your team know about the new GDPR Regulation.
I would actually put this in an email, again just to show GDPR Regulation that you’ll be in very conscious of the laws.
Train all of your employees on everything we’ve spoke about today, because it’s just as important that they do it, so your whole business isn’t liable to be extra safe. I would also appoint you or someone in your team to be the Data Protection Officer and make sure you’ve got this in writing. This means that person is responsible for enforcing all the tips we’ve spoke about today.
Give a one person total responsibility means that these tips are much more likely to get enforced, because their checks and balances are replacing your business.
Now, here are all the tips that you want to go and implement straight away, because the twenty fifth of May is coming up soon, but we’ve also been talking to a
lot of our customers about GDPR regulation and some questions just keep coming up time and time again, so let me try and answer them for you.
GDPR Regulation, Main Questions Answered:
What if I want to buy data? how do I ensure that that is GDPR Regulation compliant?
Great question, well if you’re gonna buy data maybe like a big list of everybody’s email addresses or phone numbers. You need to make sure that the person that you’re buying that information from has been GDPR Regulation compliant.
You also need to make sure that every single person on that list has actively opted in to receive information or have their data stored by a third party. So make sure you check with the person you’re buying this information from.
Can I pass on the data I have on my employees, suppliers and customers to the new business owner?
In this case you want to have an Assignment Clause within your fair processing notice. The Assignment Clause should really clearly state that if somebody else was to buy your business, the new business owner will have all that data that you’ve collected on someone, they will then own it and use it for the same purposes that you have.
You also just want to make it really clear to the new business owner, this is what we said we were going to use the information for and you can’t use the information for anything else unless you contact everyone again and ask them to positively opt in.
All of the existing data I have on people? can I keep this after the 25th of May?
So when the new laws come in, you need to make sure that everybody that you have information about is consented to that.
Your safest bet is to contact all of your existing database and just explain that the law is changing and that they need to positively opt back in to be able to receive emails from you for you to
continue to have their data etc. How you choose to do that is totally up to you, I think the two easiest options is just ask everyone to email you back saying, yes I’m fine with that, or ask them to
click on a link that allows them to tick a box to say, yep I’m fine with all the new laws changing and I’m fine for you to still store my data.
So in short you, are going to have to contact everyone and they are going to have to positively opt back in for you to keep their data and I hope you found these tips useful.
If you’ve got any more questions, comment below and we will try and answer them to the best ability we can.
Also let me know in the comments how you’re getting ready for the new GDPR Regulation law and love to hear more tips that we can share with each other.
Now, a small disclaimer:
All of the information I’ve given today is totally my interpretation of the confusing legal jargon there is out there about GDPR Regulation and this is my interpretation and I am NOT a legally trained at all. So do go and do your own research because the information I’m giving is merely advice, now it’s taken me a long time to put all these tips together so I’d really appreciate you share with others this article, because that means more people will get to read this article and be able to be GDPR compliant.
So leave a comment below and share, I cannot wait to write you another GDPR Regulations article!!!