Disclaimer – I am not legally trained and so this is not official guidance!
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a new EU law that replaces the Data Protection act and comes into force on 25th May 2018. (Leaving the EU does not mean that it won’t apply to the UK)
Why is it being enforced?
It is a new type of law to try and protect people’s data and applies to all organisations and issues specific guidelines about how the data must be looked after. But in basic terms if you collect information about people for example – people sign up to your mailing list via a link on your website, or you call potential clients via your CRM database, or you get information via a contact form on your website – then it will apply to you.
What is personal data?
Personal Data means any information relating to an identified or identifiable natural person (a “data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. ~Article 4(1) of the EU GDPR 2016/679
Some places where information can be captured include:
- Via a website – if customers contact you via an enquiry form, enter in details to buy a product, or online accounts that store information
- Direct mail – if people fill in order forms and competitions by post
- Telesales – if you hold customer data or potential customers for agents to contact
- Customer service – the storage of data for existing and new clients
- Personal contact – via networking events or keeping business cards
What do you need to do?
- Review your procedures – take a look at what data you collect and using what method. For example – do you have a contact form on a website? When you receive the completed form – where do you store that information? Take precautions to keep that data safe and secure.
- Right to be forgotten – allow customers a clear route to ask you to remove their details and do so when they ask.
- Do I really need all the information? Decide if the data you collect is really essential and if its not don’t collect it.
- Prepare a breach policy – the GDPR rules state that if a breach is found to have taken place, you must report it to the individual within 72 hours. Make sure you have a plan on how to do this prepared.
There is a potential fine that can be issued if the regulations aren’t followed so it makes sense to take the necessary steps. And also because it is probably how you’d want your data to be treated by other companies as well!