GDPR: The Resources You Need Right Now

GDPR General-Data-Protection-Regulations; Resources

I’ve been monitoring the GDPR situation closely and I’ve got some updates for you, based on my most recent research. 

As always, this is based on what seem to me to be the most reliable sources of information available.  I am not a GDPR expert, just a very interested business owner who wants to ensure compliance for herself and her clients.

The most useful source of information I have found recently is the self-assessment checklists which the Information Commissioners Office (ICO) have put up on their website. They are very clear and relatively concise considering the complexity of the subject matter.  I think they’ve done a great job of making it as clear as it can be and I’ve used these myself to ensure I am fully compliant before 25th May 2018.

checklistsThere are two checklists, one for Data Controllers, the other for Data Processors.  We are all familiar with these terms from the Data Protection Act legislation.

I’ve checked the two lists against each other.  If you are a Data Controller, as most small business owners will be, then completion of all the requirements of the Data Controller checklist will ensure that you will also be able to complete the Data Processor assessment in full without carrying out further work.  Great if you are like me and fall into both categories.

You can click for further information on every step of the process to identify the tasks you need to complete for your business to ensure compliance.

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-controllers/

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/data-processors/

These checklists are quite long but you do need to ensure you meet all the criteria.   I’ve gone through the checklists and it seems that there are some key documents that you are going to need to have in place for your business in order to ensure compliance.

What you will Need

documents, GDPR documentsPrivacy Notices – for your website and for your other records

Data Protection Policy

Information Security Policy

Information Asset Register / Information Audit Document

Records showing how consent was gained, and how you will review it.   (If you are relying on consent as your basis for processing)

If you have a Business Risk Management Plan then this should be updated to show the Information Security risks under GDPR if it does not already adequately cover these.

For some businesses, you will also need to create Data Protection Impact Assessments.

For businesses handling children’s data, the rules are much more stringent.  You will need to meet additional requirements, which are documented in the checklists, in order to ensure compliance.

Registration

Registration, It looks as though everyone will need to register with the ICO if you have not done so already and the fee structure for doing so will alter from the date the GDPR comes into force.  Currently, I pay £35, as do most smaller businesses.  From May 2018 it appears that there will be a three-tier system, based on the quantity of data processed and headcount within the business. Tier 1 for the smallest businesses processing up to 10,000 data items will be up to £55.  For the largest organisations, the fee could be up to £1000.

It seems that if your ICO registration is due before 25 May 2018, you will pay the original fee for 2018/19 before moving to the new fee structure on renewal in 2019.  For those of us whose registration date is after 25th May, the new fees will apply.  It’s still not a huge cost for most small businesses when you think that it goes to fund data protection for everyone.

Additional Resources

Additional Resources, GDPR additional resourcesIf you would like to get a bit more detail about how the legislation might affect specific areas of your business or sector, this website has some very helpful information on it.  https://www.dpnetwork.org.uk  This site looks at the practical implementation in more detail and discusses areas where clarification is still needed on parts of the regulations.

As with any new legislation, there will be a period during which the legislation is examined and decisions are being taken about how the legislation will apply and work in practice.  However, this site and the ICO site are both great resources to keep an eye on to ensure you remain up to date with the latest information.

The DP Network site is run by Rosemary Smith whose Data Protection credentials are second to none.  Rosemary has actually been interviewed twice on the Next 100 Days Podcast with respect to the GDPR legislation.  For those readers who like to consume your content on the move, you may find the podcasts useful.  Rosemary appears in episode 89 where she provides an update on her comments provided the previous year in episode 29.  The podcast is available from The Next 100 Days.org.

There are also a number of videos available on YouTube which address the specific concerns of various sectors and might prove useful for you as well.  I have recorded some very general ones myself, and these are available on the YouTube channel here.

There is also a blog post here, which discusses Email Marketing, Subject Access Requests and accountability principles.

Finally, there are a number of workshops being run up and down the country.  If you prefer to get your information in an environment where you can discuss the implications for your particular business with a real live expert, then you should be able to find these via Eventbrite, LinkedIn or your sector’s governing body website.

Is your Email list GDPR compliant?

Is your Email list GDPR compliant?

data security, GDPR, Data Protection

The General Data Protection Regulations (GDPR) will come into force on 25 May 2018, replacing the current Data Protection Directive. It will bring significant changes to the way you handle data in your business. The legislation is very wide ranging and I can’t hope to cover all the areas that you might need to know about in one blog post. The area I am most often asked about is the impact of GDPR on information retention and on Email Marketing.

At its most basic level, the new legislation aims to ensure personal data is properly safeguarded, people’s privacy is protected, and we aren’t bombarded by unsolicited information. If you hold and manage personal data relating to EU citizens within your business, you will need to understand your responsibilities under the regulations. Even if your company is based outside the EU and UK, if you have contacts or clients there and you want to use their email address for marketing purposes, you must comply with the Regulations.

Accountability Principle

A key change will be the introduction of the Accountability Principle. This requires you to show HOW you comply with the principles by keeping a clear record of decisions taken about how each processing activity will be carried out.
Article Five of GDPR requires personal data to be:

• Processed lawfully, fairly and in a transparent manner.
• Collected for a specific purpose, that purpose to be made clear and explicit to all whose data you hold.
• No data to be further processed or used for other reasons for which you do not have, or have not sought, permission.
• You should hold only as much data as you need to complete the tasks for which you are holding the information.
• All data must be accurate and kept up to date at all times. Any inaccurate data found must be erased or rectified as soon as the inaccuracy is discovered. Also, if you have shared that data with someone else, you must inform them of the inaccuracy so they can alter their records also.
• Data should be kept only as long as is necessary for the processing purpose and must be held securely and protected against unauthorised or unlawful processing as well as against loss, destruction or damage.

Compliance

GDPR also requires that the Data Controller, which in a small business is usually the owner, takes responsibility for, and is able to demonstrate, compliance with the principles of the Regulations.
It is good practice to demonstrate compliance via a policy for Data Protection. If you already have such a policy which complies with the current Data Protection Act then updating it to comply with GDPR should be reasonably straightforward.
Without the ability to demonstrate that you comply with the legislation you could leave yourself open to criticism and potential enforcement action if you breach the rules. The costs of a breach under GDPR are much higher than under the Data Protection Act so it makes business sense to get this right.

Email Marketing

With respect to Email Marketing, the most important change is that silence, pre-ticked boxes and inactivity are not considered as consent to be marketed to. People must actively take steps to opt into your marketing. So no pre-ticked boxes on your Email Sign Up forms please.
As mentioned above, you must state very clearly the exact purpose for collecting the data and how you propose to use it. So, if you wish to add people to your Email list, you must tell them this and explain what they will receive in return, for example, a monthly or weekly newsletter.
Because you need explicit and verifiable permission to add someone to a marketing list, you can’t just add the details from all those business cards you got at that networking event to your Email list. You must ask the person for permission to add them. You can send one individual Email inviting them to join your list. This must be a single email, personally addressed, and cannot be sent via a mail marketing programme such as MailChimp.
Similarly, if you put out a bowl on your trade stand asking people to drop in their business cards, the bowl should have a notice clearly stating that people will be added to your mailing list if they provide their card. This allows them to choose whether to opt into your mailings. There is a problem here though, the new legislation will require you to provide traceable evidence of sign up to mailing lists. So you might find sign-up sheets or asking people to sign up via your website on a tablet, a better choice for growing your email list at trade shows.
Although we are mainly discussing Email marketing, if you want to collect phone numbers to call or send text messages or collect addresses for traditional mailings, you need to seek permission to use each type of data (eg: phone, SMS, mail) and provide the option for people to opt in or out of each separate method so they can choose the methods of contact they are most comfortable with. Provide an empty tick box for each option.
Since every bit of personal data you collect about a person is another bit of data you are responsible for (and must secure) it makes sense to only collect what you need and will use. Particularly as the penalty for breaching the regulations is a very hefty fine.

Consent and Email Marketing

It really is all about getting verifiable consent. One way to get this verifiable consent is to use a system such as MailChimp to build your list as it has a double opt in. People will not be added to your list until they have responded to a second email which asks them to confirm that they really did mean to sign up to your list. This double opt in information can be used to prove permission to use the data.
The new rules specify very clearly that there must be an unsubscribe button or method by which the person can arrange to be removed from the mailing list and that this MUST be very prominently displayed and easy to find. Hiding it, or making it difficult to locate, is not an option.
Individuals will also have the “right to be forgotten”, that is, they can request to have their data erased with no trace of the information left behind. If someone requests this then it must be done as soon as possible and no further marketing materials sent to them.
GDPR will also prohibit the sale or exchange of personal data and it will not be possible to use data collected for one purpose (such as Email newsletters) for another purpose.
Even if you have previously obtained permission to use people’s email address, you will need to seek renewed permission to use that address ahead of the new legislation.

Action Points

So what action do you need to take?

• Review any areas of your business where you request email addresses, whether that is pop up windows on your website or sign up forms. Check that all the pop ups and sign up forms are clear and specific and include all the ways in which you might be going to use the Email address so visitors are very clear about how you will use their data.

• Keep a record of the permissions you are sent so that you can be quite certain, and can prove, that you have permission to market to each individual.

• If you have an old list you must gain permission to use each address on it. To do that, you would need to individually email each person on the list and ask them whether they would like to join your mailing list. Do not use the Carbon Copy (CC) function in your Email system to send messages to several people at once. Doing so will allow data to be seen by everyone you are emailing and thus breach the regulations.
It is possible to send to multiple email addresses using the Blind Carbon Copy (BCC) Function because each individual will see only themselves as an addressee. However, don’t send to large numbers of addresses all at once in this way. You will get blacklisted as a spammer if you do.

If you want to find out more about how to comply with the new legislation and get your business ready for the change, the ICO provides some excellent checklists specifically aimed at small business owners. These are straightforward and clearly written, covering the various areas which will change when GDPR is brought into force and the ways in which you can prepare your business for the new legislation. These can be found at WWW.ICO.org.uk/for-organisations/business
Another great source of information is www.dpnetwork.org.uk which, together with the ICO website, keeps you up to date on the latest interpretations of the upcoming legislation.

You can also find videos about the impact of GDPR on the new JJB Office Services YouTube Channel.

Does all this make your brain hurt?  Are you wondering how you will find the time to make your business compliant?  Perhaps you need existing policies and procedures reviewed and updated but don’t have the time?  Well never fear, Jenni is here.  If you need a hand,  please get in touch with me here.