Ok, so there is lots of talk around GDPR, the new General Data Protection Legislation, that will be implemented from May this year. And I bet like me, you are thinking-
What is this? How the hell does it affect me? What do I need to do?
Now I have read quite a few things on the subject and they have been about as clear as mud! I recently attended a webinar and for the first time I had a much better understanding of some of the fundamentals of what it was and what I needed to do. No I am by no means an expert and the GDPR is in fact still being written and finalised, but I do now feel I could impart some of what I learnt to help you begin to make some sense of it.
WHAT IS GDPR?
GDPR = General Data Protection Regulation
GDPR in it’s simplest form is using data fairly securely and morally in the right way, by being upfront with how it will be processed and ensuring either the consumer/contact has given consent or that you have a justifiable legitimate reason to contact them in the manner that you are and with the information you give.
GDPR is about transparency on:
1 Why you are holding data
2 What data you capture and hold
3 Where you will hold it (securely)
4 When and how you will be processing it and using it
It is ensuring you have a clear map of how your business collects, stores, processes and uses data within all areas of the business and ensuring that you have clear procedures and policies throughout, that everyone in the business is clear on and is responsible for upholding and adhering to. There aren’t really any stringent processes and rules, but rather guidelines and it is a principles based policy.
- It needs to be mapped out and implemented across the entire business, literally anywhere where you collect, store and process data. That includes but is not limited to:
2. There is no set rule on who should be responsible and drive the GDPR policies through the business, however unless you are going to employ a specific data manager (it is recommended for large companies that you do), that will mean that either you as a solopreneur or marketers are the driving force behind assessing the current data policies and processes and starting to tackle the implementation of the new policies due to you or your marketer handling customer databases for marketing. If you are a VA handing data on behalf of a client, you are responsible for that data, so you will need to ensure that you know where it has come from, that they have gained consent and that you uphold their GDPR processes as well as your own for your business.
3. It is recommended that if you are a larger business that you assign data champions in each department that handles data to ensure that the policies and processes are being upheld within each department
4. GDPR is about accountability, ignorance is not a defence on this one. It is also not enough to just comply, you need to be able to demonstrate and show how your company arrived at it’s data policies and procedures, why you have chosen the route that you have, and then show your clear policies and how they are being implemented across the business
5. There is no distinction between how you should handle B2C and B2B data. The same principles should be applied.
6. GDPR is not a static destination, your compliance and data handling policies will need to be revisited and revised regularly to ensure that you keep up with changes and that you are always doing the right thing when data handling.
7. The level of granularity you go into is up to you and will depend on your business, but the more detailed and robust the safer your policies will be.
8. GDPR will be policed by complaints. If you are misusing data and someone complains about your data handling, you will be investigated and the fines are steep (we are talking millions!). Having you clear workings and thought processes to justify your data processing procedures will be essential to justify why you are handling data in the way that you are.
9. Do not wait until the May deadline to see the final policies, start now. It is better to begin and make decisions as a company and put policies in place and then amend them as necessary once the GDPR comes into play.
10. As part of GDPR you must make your privacy and data policies available to contacts at the point of data capture in clear and plain English, they must be able to consent and then there must be the option for them to change the permissions for the data you hold on them and to withdraw consent.
11. GDPR is relevant whether your business is in the Europe or not. Even if your business is based in the USA or the like, if you then deal with customers and suppliers in Europe you will need to be compliant, so best to have a policy regardless.
DOWNLOAD YOUR EASY GUIDE TO GDPR
Sign up to my free Business Resource Library to download your free GDPR guide and gain access to all the other downloads, resources and The Content Hub taster courses.