If you have data about your customers, employees, or suppliers then keep reading. Because a new law means that you could be at risk of getting fined up to 20 million euros or just over $23 million USD. And if you’re wondering if being GDPR compliant is necessary for those who live outside the EU. The answer is yes. I’ll explain.
The GDPR stipulations only apply when personal data is collected from an individual person who is located in an EU country at the time the data is collected.
It concerns any individual, not just EU citizens. It also does not apply to EU citizens who have their data collected while they are outside of the EU.
What Is The GDPR?
The GDPR stands for General Data Protection Regulation and is a new law that is now in effect as of Friday, May 25th, 2018. It completely changes how we store and use data and it’s pretty strict. You could be fined up to 20 million euros or just over $23 million USD. So make sure that you’re doing everything necessary in order to be compliant with GDPR.
There is a lot of confusing information out there about GDPR that is vague and full of legal jargon. Most people aren’t sure if they are compliant or if they need to take steps to become compliant. So, I’ve broken down 12 easily understood tips you need to know to make sure you’re compliant.
Why Has The GDPR Come Into Effect?
The reason these new GDPR laws have come about is because the laws were outdated. There’s been a boom of technology with things like the internet and people feel that they’ve lost control of how their data is being used and stored.
Essentially, the GDPR laws are a good thing because it allows people to take back control of what data people and businesses have on them.
To make sure you’re compliant with GDPR, the first thing you need to know is what data you already have on people, which leads me to step number one.
Step One: Organize Your Data
Store all of the data you have on your employees, suppliers, and customers in an organized manner. This is helpful for two reasons, number one, if a person inquires about what information you have on them, you want to be able to access that information and get it to them as quickly and as accurately as possible.
Number two, if you were to ever be investigated by the GDPR, you want to make sure that you’re showing that you know what data you have on everyone.
What Exactly Is Data?
Personal data is any bit of information that you could use on its own or with another bit of information to identify a person. That’ll include their name, phone number, address, photos of them, their IP address, etc. So, make sure you know what data you have on people and identify what they are.
Step Two: Make Sure The Data You Collect Is Safely Secured
Now is the time to consider what measures you have in place to make sure that nobody could leak, hack, or misplace that data. If you’re storing that data digitally, what safety measures could you put in place?
Is the data stored in a virtual cloud that no one could access? Do you have antivirus software on all of your devices? If any of your devices were ever lost or stolen, could you remotely wipe that data so that the data isn’t compromised?
Similarly, if you have hard copies of the data you collect, what are you doing to secure it safely? Is it locked away someplace where no one who isn’t authorized can access that information?
Step Three: Make A Record Of All Safety Measures You Put In Place
It is also necessary to record the safety measures you’ve put in place and the steps you’ve taken along with dates. This is going to make sure that your entire team will all be in the loop and on the same page. Additionally, should you ever be investigated, you’re showing that you’ve already taken necessary precautions.
Step Four: Don’t Hold On To Data You Don’t Need
This is actually a very important step that is apart of the new laws. You can’t hold on to data if you don’t know what you’re going to do with it. You need to be completely clear on why you’ve got someone’s name or email address. So don’t hold onto data with the thought that it could become useful in the future.
Every time somebody hands over a bit of data to you, you want to make sure that they have clear access to your fair processing notice. GDPR has asked that this fair processing notice has no legal jargon that could be ambiguous. So, in clear layman’s terms, state what you will be doing with their information. When writing this document, you want to keep in mind, why you’re collecting the data, how you’ll keep the data safe, and who else besides you will have authorized access to that data.
Step Six: Have A Customer Support System In Place
If someone asks what information you have on them, are you able to easily find and provide it to them?
With the new law, you have to be able to supply people with the information you’ve collected on them. This needs to happen within one month of their request at no cost to them. So make sure you’ve got a process in place that will allow you to quickly provide all information you have on each individual person, should they request that from you.
Step Seven: Have A Process In Place To Delete Data
If someone asks you to delete all their data, you need to be able to do so. If this is requested of you, you must comply, it’s part of the new law. So again, make sure you know where all of the information you have on them is so you can easily wipe it.
Step Eight: Allow People To Positively Opt-In To Your Storing Their Data
When collecting someone’s data for marketing purposes, they must be fully aware of what data you’re collecting and why. They must understand what they are opting into and affirmatively give permission to having their information stored for marketing purposes.
Having a little disclaimer on your opt-in forms that advises people what they are signing up for, is a great way to fulfill this requirement. Additionally, you may wish to implement the double opt-in feature. This will send an email to their inbox and will make them confirm their opt-in by having them click a button that says they confirm to be apart of your mailing list.
When collecting data in person, have people sign a physical opt-in form that expresses their permission to collect and store their data for marketing purposes. However you decide to go about it, have proof that they gave you permission. Having a signed consent form is a great option.
Step Nine: Use A Layered Opt-In Form
A layered opt-in form has a link within the form that leads to more information on how a person’s information will be used. This information is simple and easy to understand and is meant to simply give people a bit more information and a clearer understanding.
Step Ten: Make It Easy For People To Opt Out
When sending marketing emails, make sure you have a clear and obvious unsubscribe button at the bottom. You don’t want a hidden or small printed unsubscribe button. This also applies to text messages, call services, and direct mail services. Make sure people have an easy way out of receiving any marketing texts or phone calls, or postal mail from you.
Also, make sure that you completely remove anyone who requests to be removed. You don’t want to make the mistake of accidentally sending any marketing materials to someone who has opted out. If you are reported you could end up paying a very hefty fine, which you definitely don’t want.
Step Eleven: Make Sure Your Whole Team Is In The Loop
It is of crucial importance that your entire team knows about the new GDPR laws. Consider sending a company-wide email as well as hold a meeting to discuss the laws and answer any questions they may have. It is just as important that your employees are trained and comply with the GDPR because their actions will affect your business.
Step Twelve: Elect A Data Protection Officer (DPO)
Either you or someone on your team should be the designated DPO. A DPO is an enterprise security leadership role required by the GDPR, so make sure you have this in writing. This means that one person will be responsible for enforcing all the steps mentioned and will ensure that these steps are complied with.
Now that you have these steps, if they aren’t in place yet, be sure to start implementing them right away. Now I’ll cover some frequently asked questions that many people seem to have.
Can I still purchase data from third-parties? If so, how will I know that the data I purchase is GDPR compliant?
If you’re thinking about purchasing data, like an email list, make sure the person you’re buying the data from has been GDPR compliant. You also need to make sure that every single person on that list has positively opted in to receive information or have their data stored by a third party.
I want to sell my business. Can I provide the data I’ve acquired from employees, suppliers, and customers to the new business owner?
In this case, you want to have an assignment clause within your fair processing notice. The clause should clearly state that if someone were to buy your business, the new business owner will have all the data you’ve collected. This means they will not only own it but must use it for the same purposes that you had.
Make sure the new owner understands that they can only use the data in the same way and for no other purposes. If the new business owner would like to use the data in a different manner, they would then need to contact everyone again and ask them to positively opt-in for the new purpose.
I’ve collected much data on my customers over the years, am I able to keep everything that I’ve already collected?
With the new laws in place, you now need to make sure that everyone you have information on has not only consented but that you have proof of their consent. Your safest bet is to contact everyone in your existing database. Just explain that the law has changed and that they need to positively opt-in again, in order to continue receiving emails from you.
The easiest option is just to ask everyone to email you back saying, ‘yes, I’m fine with that.’ How you choose to go about it is entirely up to you, just know that it is necessary.
I hope that you’ve found these steps useful. Just as a small disclaimer, I’m not legally trained. The information I’ve provided is simply my understanding of the confusing legal jargon associated with the GDPR. So, please be sure to do your own research and consult with a legal professional if you need help understanding the GDPR laws.
I’d love to hear from you. How do you feel about the new 2018 GDPR laws?