What is GDPR?
GDPR stands for General Data Protection Regulation, which is the EU Law on the protection, use, process and storing of data that came into effect in 2018. GDPR protects the fundamental rights of any identifying information of a person who has interacted with a business.
If your business is found to be in breach of GDPR rules, you can incur a charge of up to €20 million or 4% of the business’ turnover.
According to GDPR.EU here are explanations of some of the legal terms:
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organising, structuring, storing, using, erasing… so basically anything.
Data subject — The person whose data is processed. These are your customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organisation who handles data, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organisations.
Now that we have explained what GDPR is and what happens when there is a data breach, we want to talk about how you can protect your business:
Review how you get your data
Ensure that you are always reviewing how it is you are getting your customers’ data, for example if you are capturing customer data by competition entry then it must state what your intentions with the data are and the fact that you are going to store it.
If you state that you only capture data via contact us forms, then you cannot capture data through lead generation, competitions etc.
You can process the data using one of the following reasons:
2. Performance of a contract
3. To comply with legal obligations
4. To protect the vital interests of the data subject or other people
5. To perform a task in the public interest
6. Legitimate Interest
Audit your database
Make sure that you are constantly monitoring that you have the correct data and that you are using that data properly. For example, if you are bulk uploading data to your CRM, when you are editing that data ensure you have not accidentally moved some data over. As a business, you do not want important information on one of your customers/clients being sent to another of your customers/clients.
If you are collecting data from people, you must tell them what you have collected and what you are doing with that data.
Here is a handy table from the ICO to explain what you may or may not need to inform people of.
Table included from ico.org.uk
|What information do we need to provide?||What should we tell people?||When is this required?|
|The name and contact details of your organisation||Say who you are and how individuals can contact you.||Always|
|The name and contact details of your representative||Say who your representative is and how to contact them.||If applicable|
|The contact details of your data protection officer||Say how to contact your data protection officer (DPO).||If applicable|
|The purposes of the processing||Explain why you use people’s personal data. Be clear about each different purpose.||Always|
|The lawful basis for the processing||Explain which lawful basis you are relying on in order to collect and use people’s personal data and/or special category data.||Always|
|The legitimate interests for the processing||Explain what the legitimate interests for the processing are.||If applicable|
|The recipients, or categories of recipients of the personal data||Say who you share people’s personal data with.||If applicable|
|The details of transfers of the personal data to any third countries or international organisations||Tell people if you transfer their personal data to any countries or organisations outside the EU.||If applicable|
|The retention periods for the personal data||Say how long you will keep the personal data for.||Always|
|The rights available to individuals in respect of the processing||Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability.||Always|
|The right to withdraw consent||Let people know that they can withdraw their consent for your processing of their personal data at any time.||If applicable|
|The right to lodge a complaint with a supervisory authority||Tell people that they can complain to a supervisory authority.||Always|
|The details of whether individuals are under a statutory or contractual obligation to provide the personal data||Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.||If Applicable|
|The details of the existence of automated decision-making, including profiling||Say whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Give people meaningful information about the logic involved in the process and explain the significance and envisaged consequences.||If applicable|
If your policies say you are only going to be collecting name and email address but your CRM systems collects Name, Email, Address and Phone Number then your database is NOT compliant.
If you are sending out newsletters then you need to make sure you have an Opt-In process for getting your email contacts to agree to be able to email them. You also must continue to email people with only what they are interested in. If you run a pet supply story and someone signs up to the Dog Newsletter but you start emailing them about Cat Harnesses this could be considered a breach of GDPR.
Keep up to date
Keep up to date with GDPR, it is so easy to forget what you need to do, overlook something or not realise that there has been changes within the regulations.
You should review your GDPR, CRM and all data at least once a year, so you know your data is correct and in line with GDPR regulations.
Additional, right to erasure
As an additional tip, everyone has the right to be erased from your database!
You must comply with a request of the right to be erased with no unnecessary delay however, at the latest you should comply within one month of receiving.
You must also erase any data that is kept on back-up systems along with live systems.
GDPR can be an pretty scary topic, so if you have any questions about ensuring your data is not in breach in GDPR regulations then email us on email@example.com