Are You Ready for the New Data Protection Legislation (GDPR)?
New data protection legislation comes into effect on 25th May 2018 that will affect businesses and organisations around the world that collect ‘personal’ data about individuals living in Europe – no matter what country your business operates in.
There is a LOT of misinformation being shared about what we need to do (or not do) to be compliant with the new General Data Protection Regulations legislation (GDPR).
The purpose of this blog post is to give you an overview of areas of your business this is likely to affect and to signpost you to resources to help you implement the required changes to how you collect and store personal data.
Please note that I’m not a lawyer nor a data protection specialist and so what I share only covers some of the basics – it’s worth checking out exactly what you need to do with data protection experts.
Why is this happening?
Have you ever received spam emails or phone calls from people you have not given your personal details to? Or worse still had your identity stolen?
Do you have any reservations about sharing personal information – particularly with people you don’t know or online?
Would you prefer to only give this to businesses you know will take care of this information i.e. you know they’ll do want they can to make sure it doesn’t fall into the wrong hands?
What is the scope of these changes?
- What you say before you ask people to opt-in/sign up to our email list, lead-magnets – you will need to be specific about what they are signing up for and only use their information for this specific purpose.
- How you communicate with paying customers after they buy one of your products/services – they need to specifically and proactively opt-in to receive any further communications.
- How you ask people to sign up to free gifts, newsletters and regular updates (you will need explicit consent for every way you will use their data).
- What you state in your privacy statement
- What you state in your security statement
- Where you store data (e.g. how you protect paper records and information held online or on devices)
- What software providers you use – they will need to be GDPR compliant if you are to be
- What data you ask for
- How long you hold data for (you are required to delete information you no longer need for the specific purpose it was given)
- Processes you have in place to give people access to data you keep about them and your complaints procedure
- How you demonstrate your compliance – you need to be able to do this!
These are just a few of the areas affected by this new legislation. Please make sure you become familiar with the legislation and how this applies to your business so you can be GDPR compliant. I share links to useful resources for this below.
Data Protection Principles
Article 5 of the GDPR outlines six principles that require personal data to be:
Processed lawfully, fairly and in a transparent manner – the person consents to how the information will be used.
Collected for specified, explicit and legitimate purposes – be clear an honest about why you’re asking for information and only use information obtained for the stated purpose. You also need to design/update privacy policies for your business that detail how you collect and data. You need to design your own policies based upon what you need for your business.
Adequate, relevant (to the purpose) and limited (to what you need) – no unnecessary information is to be collected.
Accurate and up-to-date – you need a process for checking data and deleting what you no longer need.
Keep your data for no longer than you need it – for the purposes the data has been collected! Have a data retention policy in advance and tell people in advance what you’re going to do. As per principle one, you need to be transparent and tell people in advance what’s involved.
Security – you need to process personal information that ensures appropriate security and protection against unauthorised use, accidental loss, destruction or damage. An important aspect to mention in this respect is the transfer of personal data to outside Europe (e.g. you collect data using US-based software companies). If you use any such companies you need to check they are GDPR compliant too.
Do I really need to do this?
If you really care about your customers and protecting the personal information they give to you, much of this is best practice for the digital age. There are plenty people who can help you with this. Start by checking out the resources I share below and then get the support you need to implement these.
Failure to comply with the legislation you could lose clients and receive a hefty fine.
It will be really easy for customers, clients and European authorities to establish whether you’re complying – they just need to look at your website or have an interaction with you where you ask for their personal information. I’ve always asked people (e.g. at the checkout in a shop) why they need my email address to process the sale as I hate it when anyone adds me to an email list without asking my permission to do so. How do you feel when people you don’t know ask you to hand over personal data?
From a practical perspective, it’s hoped that authorities will work with businesses to support compliance and that fines will only be a last resort for businesses who don’t come into line – time will tell.
I’ve been checking out lots of resources and many well-intentioned people are sharing incorrect information on this topic. Personally, I prefer to learn from governing bodies, data protection specialists, and lawyers. Here are a few useful resources I’ve found:
- The Information Commissioners Office – this is a good starting point. They’ve published a couple of useful guides that they update regularly:
Suzanne Dibble – an award-winning UK data protection lawyer who has recently set up a Facebook Group providing daily videos and support and relating to this topic–for business owners around the world. She has an excellent 2-hour free training with great follow up resources, including lots of templates and checklists that will save you hours of time. Check out her free training and resource pack HERE (this is an affiliate link so if you’d prefer to look this up directly, join her free Facebook Group first HERE and you’ll find the link in there too).
- Annabel Kaye from Koffeeklatch – has a good short explanatory video and group support membership so you are supported as you implement GDPR. Find out more HERE.
If you’re unsure where to start, check out the resources above and reach out to get the support that you need. Feel free to comment below.
The Business for Good Mentor, Speaker, and Author
Alisoun’s keynote talks, training, mentoring, and best-selling books Give-to-Profit: How to Grow Your Business by Supporting Charities and Social Causes and Heartatude: The 9 Principles of Heart-Centered Success have favorably changed the good fortune of thousands of people worldwide. She loves doing humanitarian work, fundraising and living by the beach in Scotland.
Alisoun is also the founder of an online business training academy and has written the following free resources:
- Ebook: 101 Ways To Attract Great Clients, With Heart, Integrity & Social Impact (click here)
- Ebook: 52 Ways to Raise Funds for Charities and Social Causes Through Your Business (click here)
- Ebook: The 9 Secrets to Signing Up Clients Without Selling (click here)
- The Online Course Creator Checklist – download here.
You can connect with Alisoun here: