GDPR Explained: What does your business need to know?

What is GDPR?

GDPR stands for General Data Protection Regulation, which is the EU Law on the protection, use, process and storing of data that came into effect in 2018. GDPR protects the fundamental rights of any identifying information of a person who has interacted with a business.

If your business is found to be in breach of GDPR rules, you can incur a charge of up to €20 million or 4% of the business’ turnover.

Key Terms:

According to GDPR.EU here are explanations of some of the legal terms:

Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organising, structuring, storing, using, erasing… so basically anything.

Data subject — The person whose data is processed. These are your customers or site visitors.

Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organisation who handles data, this is you.

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organisations.

In 2018 British Airways were hacked, and their website traffic was diverted to a fraudulent website, where personal and credit card data were stolen. Along with names, billing addresses and email addresses.

Initially British Airways were to be fined £183.4million but the fine was changed to £20million in October 2020 by the Information Commissioners Office (ICO).

Now that we have explained what GDPR is and what happens when there is a data breach, we want to talk about how you can protect your business:

Review how you get your data

Ensure that you are always reviewing how it is you are getting your customers’ data, for example if you are capturing customer data by competition entry then it must state what your intentions with the data are and the fact that you are going to store it.

If you state that you only capture data via contact us forms, then you cannot capture data through lead generation, competitions etc.

You can process the data using one of the following reasons:

1.    Consent
2.    Performance of a contract
3.    To comply with legal obligations
4.    To protect the vital interests of the data subject or other people
5.    To perform a task in the public interest
6.    Legitimate Interest

Audit your database

Make sure that you are constantly monitoring that you have the correct data and that you are using that data properly. For example, if you are bulk uploading data to your CRM, when you are editing that data ensure you have not accidentally moved some data over. As a business, you do not want important information on one of your customers/clients being sent to another of your customers/clients.

Privacy Statement

If you are collecting data from people, you must tell them what you have collected and what you are doing with that data.

Here is a handy table from the ICO to explain what you may or may not need to inform people of.

Table included from ico.org.uk
What information do we need to provide?What should we tell people?When is this required?
The name and contact details of your organisationSay who you are and how individuals can contact you.Always
The name and contact details of your representativeSay who your representative is and how to contact them.If applicable
The contact details of your data protection officerSay how to contact your data protection officer (DPO).If applicable
The purposes of the processingExplain why you use people’s personal data. Be clear about each different purpose.Always
The lawful basis for the processingExplain which lawful basis you are relying on in order to collect and use people’s personal data and/or special category data.Always
The legitimate interests for the processingExplain what the legitimate interests for the processing are.If applicable
The recipients, or categories of recipients of the personal dataSay who you share people’s personal data with.If applicable
The details of transfers of the personal data to any third countries or international organisationsTell people if you transfer their personal data to any countries or organisations outside the EU.If applicable
Continued…
The retention periods for the personal dataSay how long you will keep the personal data for.Always
The rights available to individuals in respect of the processingTell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.Always
The right to withdraw consentLet people know that they can withdraw their consent for your processing of their personal data at any time.If applicable
The right to lodge a complaint with a supervisory authorityTell people that they can complain to a supervisory authority.Always
The details of whether individuals are under a statutory or contractual obligation to provide the personal dataTell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.If Applicable
The details of the existence of automated decision-making, including profilingSay whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Give people meaningful information about the logic involved in the process and explain the significance and envisaged consequences.If applicable
CRM Usage

If your policies say you are only going to be collecting name and email address but your CRM systems collects Name, Email, Address and Phone Number then your database is NOT compliant.

If you are sending out newsletters then you need to make sure you have an Opt-In process for getting your email contacts to agree to be able to email them. You also must continue to email people with only what they are interested in. If you run a pet supply story and someone signs up to the Dog Newsletter but you start emailing them about Cat Harnesses this could be considered a breach of GDPR.

Keep up to date

Keep up to date with GDPR, it is so easy to forget what you need to do, overlook something or not realise that there has been changes within the regulations.

You should review your GDPR, CRM and all data at least once a year, so you know your data is correct and in line with GDPR regulations.

Additional, right to erasure

As an additional tip, everyone has the right to be erased from your database!

You must comply with a request of the right to be erased with no unnecessary delay however, at the latest you should comply within one month of receiving.

You must also erase any data that is kept on back-up systems along with live systems.

GDPR can be an pretty scary topic, so if you have any questions about ensuring your data is not in breach in GDPR regulations then email us on info@ambermountain.co.uk