Editor’s Note: This post was originally published in December 2017 and has been updated for accuracy
The phrase ‘Data protection’ seems to only come up when something’s gone horribly wrong—like the news of Uber’s massive data breach last year or the huge payroll data leak at Morrisons. But the frequency of data-related incidents could change with the impending General Data Protection Regulation (GDPR) – the EU’s law that comes into effect in May. The major update to the previous EU data protection law aims to regulate the use and treatment of an individual’s personal data.
Now that’s what you call more power to the people. Privacy is a human right, and the amount of data floating around the world today increasingly puts our privacy at risk. The quantity provides more opportunities for the theft and exploitation of our information.
But a new regulation means organisations that use data will need to be more careful and explicit with gaining consent. After May, companies that maintain poor data protection practices will not only be breaking the law, but could face a hefty €20 million fine or four per cent of a company’s annual turnover.
Needless to say, the GDPR is a pretty big deal with even bigger consequences: and it’s no wonder the Content Marketing Association has deemed it the marketing world’s equivalent to Brexit. In other words: constantly talked about (and maybe a bit scary).
But where the initial shock around the UK’s divorce from the EU has waned, concern around the GDPR is only likely to grow this year. Still, no need to panic. If you’re a small business and don’t have the cash to splash out on a heavyweight team of legal experts, here are seven ways to ensure you’re compliant with the GDPR:
1. Conduct an audit: what data do you use?
ALL businesses use data differently. Your data might be a customer/client list, your staff payroll, mailing list subscribers or individuals who’ve registered for an event. Whatever the case may be, it’s important to understand what you have, who you share it with and how you use it.
Also, The Data Protection Act 1998 requires every data controller (e.g. a business or sole trader) who is processing personal information to register with the ICO, but it’s worth noting that there are exemptions for those that only process personal data for:
· staff administration (including payroll);
· advertising, marketing and public relations (related to their own business); and
· accounts and records.
3. Identify your data processors (and check the GDPR is on their radar)
A data processor is the person or company that processes data on your behalf (you’re the ‘data controller’). In our case, we use Mailchimp to process the data that comes through our mailing list and webinar sign up forms. Google Forms, Eventbrite, Wufoo, Mailermailer and Typeform as also examples of data processors.
Mailchimp produced a handy guide for their users to help them prepare for GDPR, so when it comes to getting ready for next May, they’re definitely on the ball. However, not all companies may be as proactive. Drop them a line to find out their plans for the GDPR, and try to get a contract or processing agreement in place that shows both you and the processor understand their responsibilities and liabilities. Google is a great example of a company that offers assurances in their data processing agreement. If you’re using a processor that’s never heard of the GDPR, or is reluctant to provide you with sufficient guarantees for how they plan to be compliant, steer clear and try to find an alternative. Even if your business is 100 per cent compliant, you could also be liable for a fine if you use a data processor that hasn’t prepared for the big day.
4. Review how you ask for consent
It’s crucial that you give individuals the choice to be on your mailing list, as well as control over how you use their data. According to the GDPR, consent should…
…Be a separate request from other terms and conditions
…Require a positive opt-in (so an opt-in box that requires ticking)
…Be specific. So, an opt-in for a mailing list doesn’t mean that data can be used for something else (unless this is clearly outlined).
Consent also requires individuals to know they can withdraw from your database at any time. They should also know how to do it. It’s a fairly straightforward process to remove an individual from lists in Mailchimp – and it’s also easy for them to unsubscribe. Finally, consent should be constantly reviewed. You shouldn’t keep someone’s data forever and so it’s important to schedule regular check-ins with your subscribers to ensure individuals are happy to remain on your list. Any changes should be well documented.
5. Get fresh consent
You will need to get new GDPR-compliant consent if your current consent practices aren’t up to scratch. In our case, we’ll be asking our mailing list if they want to remain on our database in the New Year, and only accept contacts that explicitly opt-in. Any ‘nos’ or no -responses after a period of time will be cleaned from the list.
6. Pick a data protection officer (DPO) in your team
At a minimum, a DPO should be the first point of contact for supervisory authorities and individuals whose data is being processed. But other responsibilities also include advising your organisation and employees on GDPR compliance and data protection. A DPO is also required to manage internal data protection activities, train staff and conduct audits.
7. Draft a data protection policy
This is one for the employee handbook. A policy will demonstrate your commitment to the GDPR and outline your business’s processes and approach to data protection, how you report data breaches and how you plan to implement the data protection policy in years to come.