The General Regulations for Data Protection (GDPR) comes in to force in the UK on 25 May 2018. These replace the existing Data Protection Act. Today I’m sharing the four big things you need to know about GDPR 2018 and some questions to help you start thinking about what you need to do to prepare your business . If you gather and hold personal data as part of running your business, you need to make sure you are going to comply with the requirements for GDPR.
Granted, it’s NOT the most exciting business topic you’ll ever learn about – but you absolutely DO need to learn about it and make sure you comply with it! (Not just because you can be fined for not complying, but because actually I know you want to run a business that takes proper care of personal information. I know you want anyone with your personal information to keep it safe too)
What is personal information?
Pretty much anything that can be used identify someone – name, email address, phone number, IP address, home address etc etc. Then there’s particular rules for ‘special category data’ – that covers health, religious beliefs, political beliefs etc. ethnic identity etc.
Here’s some questions to start you thinking about GDPR 2018:
What personal data do you gather in your business? (You do gather personal data by the way…)
What systems do you use to gather, process and store your data? (That can be everything from a spreadsheet to a mailing list provider).
Have you checked if the services you use are going to comply with the GDPR? (Some service providers have free, personal and business offerings – and you need to be sure the service you are using is one that has specifically said it complies with GDPR?)
What about ‘special category data’? (Which includes an individual’s health information and their religious, political beliefs etc).
Have you checked all the systems you use that involve ‘special category data’ within the EU?
Do you have a record to show you have listed where you have data, and that you have checked it complies?
Do you have personal data on your smartphone as well as your computer etc? How are you protecting that? (This is not just about protecting data within certain documents – personal data could be as little as a phone number or email address in your contacts).
What about any outsourcing you do? Do any other services have access to your data? How are they complying?
How long are you holding data for?
Do you have a procedure for checking and disposing of data? Can you tell people what that is?
What consent do you have to use and store the data you’ve gathered?
Could you prove you have consent? (For example, could you prove the owner of the data gave you permission to add their email address to your newsletter list? They might have signed up for a free optin, but did they also give specific consent to go on to a newsletter list?)
When you were given consent, did you spell out what you would use data for, and what you would not use it for?
Are you using double optins on your emails?
What about those who are currently on your lists? Are you going to reconsent everyone to make sure they give consent again?
Are you registered with the Information Commissioner’s Office as a Data Controller?
Do you know what to do if someone asks to see their data under GDPR?
Do you know how long you have to respond to any access requests?
Do you know about the rights we all have to be removed from records?
Do you know that if any personal data you hold is breached you need to report it within 72 hours? Would you be able to do that?
Do you have your smartphone encrypted?
Do you do regular phone and laptop/PC backups?
Do you have good anti virus software installed?
Where do you store passwords?
Are you using a password manager system AND does it comply with GDPR?
Do you have policies in place that cover all of the above?
What Do I Know!?
As an online business that supports other online businesses, I’m involved in two ways! Safeguarding the data I hold in my own business, but also making sure I am being responsible in how I manage clients data. I’m a registered Data Controller with the Information Commissioner and also involved in several groups looking at how we can best comply with GDPR. This is an area where I am careful though – I am informed, but I am not qualified to decide whether something does/doesn’t meet the GDPR rules, for that you need an accredited Data Protection Officer… I’m looking in to the possibility of accreditation though!
I hope this is a helpful place for you to start thinking about the questions you need to be answering for your own business.
I’m also working on a blog on email lists and the fear we all have of people not signing up again, as well as a checklist to help you start working through checking your data. Keep up to date here at www.tickthelist.co.uk/blog.
If you’ve any questions get in touch with me here too.
Always happy to help