Are You Ready for the New Data Protection Legislation (GDPR)?

New data protection legislation comes into effect on 25th May 2018 that will affect businesses and organisations around the world that collect ‘personal’ data about individuals living in Europe – no matter what country your business operates in.

There is a LOT of misinformation being shared about what we need to do (or not do) to be compliant with the new General Data Protection Regulations legislation (GDPR).

The purpose of this blog post is to give you an overview of areas of your business this is likely to affect and to signpost you to resources to help you implement the required changes to how you collect and store personal data.

Please note that I’m not a lawyer nor a data protection specialist and so what I share only covers some of the basics – it’s worth checking out exactly what you need to do with data protection experts.  

Why is this happening?

How do you feel when someone asks you for personal information e.g your email address, phone number, bank details and more sensitive data?
  • Have you ever received spam emails or phone calls from people you have not given your personal details to? Or worse still had your identity stolen?

  • Do you have any reservations about sharing personal information – particularly with people you don’t know or online?

  • Would you prefer to only give this to businesses you know will take care of this information i.e. you know they’ll do want they can to make sure it doesn’t fall into the wrong hands?

When we’re in business we have a duty of care to all those we gather personal data from to only use it for the purpose it was collected it and to ensure it doesn’t fall into the wrong hands. These are a couple of the reasons GDPR is coming into effect. It also brings existing data protection legislation up-to-date with the digital age we’re now living in and introduces a single framework across Europe.
GDPR applies to all businesses whatever country you live in – if you’re marketing or servicing clients who live in Europe (and gather any kind of personal data from them). Here’s a recent Forbes article Yes the GDPR will affect your US Based Business.

What is the scope of these changes?

There are many areas of your business this could effect including (but not limited to):
  • What you say before you ask people to opt-in/sign up to our email list, lead-magnets – you will need to be specific about what they are signing up for and only use their information for this specific purpose.
  • How you communicate with paying customers after they buy one of your products/services – they need to specifically and proactively opt-in to receive any further communications.
  • How you ask people to sign up to free gifts, newsletters and regular updates (you will need explicit consent for every way you will use their data).
  • What you state in your privacy statement
  • What you state in your security statement
  • Where you store data (e.g. how you protect paper records and information held online or on devices)
  • What software providers you use – they will need to be GDPR compliant if you are to be
  • What data you ask for
  • How long you hold data for (you are required to delete information you no longer need for the specific purpose it was given)
  • Processes you have in place to give people access to data you keep about them and your complaints procedure
  • How you demonstrate your compliance – you need to be able to do this!

These are just a few of the areas affected by this new legislation. Please make sure you become familiar with the legislation and how this applies to your business so you can be GDPR compliant. I share links to useful resources for this below.

Data Protection Principles

Article 5 of the GDPR outlines six principles that require personal data to be:

  1. Processed lawfully, fairly and in a transparent manner – the person consents to how the information will be used.

  2. Collected for specified, explicit and legitimate purposes – be clear an honest about why you’re asking for information and only use information obtained for the stated purpose. You also need to design/update privacy policies for your business that detail how you collect and data. You need to design your own policies based upon what you need for your business.

  3. Adequate, relevant (to the purpose) and limited (to what you need) – no unnecessary information is to be collected.

  4. Accurate and up-to-date – you need a process for checking data and deleting what you no longer need.

  5. Keep your data for no longer than you need it – for the purposes the data has been collected! Have a data retention policy in advance and tell people in advance what you’re going to do. As per principle one, you need to be transparent and tell people in advance what’s involved.

  6. Security – you need to process personal information that ensures appropriate security and protection against unauthorised use, accidental loss, destruction or damage. An important aspect to mention in this respect is the transfer of personal data to outside Europe (e.g. you collect data using US-based software companies). If you use any such companies you need to check they are GDPR compliant too.

Do I really need to do this?

If you really care about your customers and protecting the personal information they give to you, much of this is best practice for the digital age. There are plenty people who can help you with this. Start by checking out the resources I share below and then get the support you need to implement these.

Failure to comply with the legislation you could lose clients and receive a hefty fine.

It will be really easy for customers, clients and European authorities to establish whether you’re complying – they just need to look at your website or have an interaction with you where you ask for their personal information. I’ve always asked people (e.g. at the checkout in a shop) why they need my email address to process the sale as I hate it when anyone adds me to an email list without asking my permission to do so. How do you feel when people you don’t know ask you to hand over personal data?

From a practical perspective, it’s hoped that authorities will work with businesses to support compliance and that fines will only be a last resort for businesses who don’t come into line – time will tell.

Useful Resources

I’ve been checking out lots of resources and many well-intentioned people are sharing incorrect information on this topic. Personally, I prefer to learn from governing bodies, data protection specialists, and lawyers. Here are a few useful resources I’ve found:

  • The Information Commissioners Office – this is a good starting point. They’ve published a couple of useful guides that they update regularly:
    • A Guide to GDPR (PDF version) – click HERE.
    • A Guide to GDPR (website) – click HERE.
  • Suzanne Dibble – an award-winning UK data protection lawyer who has recently set up a Facebook Group providing daily videos and support and relating to this topic–for business owners around the world.  She has an excellent 2-hour free training with great follow up resources, including lots of templates and checklists that will save you hours of time. Check out her free training and resource pack HERE (this is an affiliate link so if you’d prefer to look this up directly, join her free Facebook Group first HERE and you’ll find the link in there too).

  • Annabel Kaye from Koffeeklatch – has a good short explanatory video and group support membership so you are supported as you implement GDPR. Find out more HERE.

If you’re unsure where to start, check out the resources above and reach out to get the support that you need. Feel free to comment below.

Good luck!

Alisoun Mackenzie

The Business for Good Mentor, Speaker, and Author

Alisoun’s keynote talks, training, mentoring, and best-selling books Give-to-Profit: How to Grow Your Business by Supporting Charities and Social Causes and Heartatude: The 9 Principles of Heart-Centered Success have favorably changed the good fortune of thousands of people worldwide. She loves doing humanitarian work, fundraising and living by the beach in Scotland.

Alisoun is also the founder of an online business training academy and has written the following free resources:

  • Ebook: 101 Ways To Attract Great Clients, With Heart, Integrity & Social Impact (click here)
  • Ebook: 52 Ways to Raise Funds for Charities and Social Causes Through Your Business (click here)
  • Ebook: The 9 Secrets to Signing Up Clients Without Selling (click here)
  • The Online Course Creator Checklist – download here.

You can connect with Alisoun here:

  • Alisoun’s website – 
  • Alisoun Mackenzie Facebook Fanpage – click HERE
  • Give To Profit Facebook Fanpage – click HERE
  • Linkedin – click HERE
  • Twitter – @AlisounMac
  • Youtube – click HERE.
Please follow and like us:
Follow by Email

alisoun, alisoun mackenzie, Business as a Force for Good, business coach, business mentor, data protection, Edinburgh, GDPR, marketing, PURPOSE, Scotland, social entrepreneur, speaker, transparency

Leave a Reply

Your email address will not be published.

Registered Address

Alisoun Limited
Kandy House, Broadgait, Gullane, EH31 2DH

Registered in Scotland

Follow Me

Legal & Terms
Copyright Alisoun Mackenzie 2017 with love
Website designed and built by Jodee Peevor
Follow by Email