Are you aware that Data Protection Regulations are going to change in May 2018? Your business will certainly get affected if you hold personal data on individuals in any form. Personal Data includes anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
With an overload of information being broadcast to small business owners GDPR has become confusing and it is easy to get caught out by GDPR myths that are designed prompt a negative reaction. Let’s just go through a list of must know tips to help you clarify what you need to be prepared for the change.
What is GDPR ?
GDPR is the biggest change to Data Protection Laws in UK after the 1998 Data Protection Act. It seeks to improve privacy protection for consumers by changing the way businesses collect, use and transfer personal data.
It is designed to protect the privacy of individuals in businesses and give them more power to control the information that businesses hold on them.
The GDPR revolves around key principles and safeguards: -
1. Personal data should be held fairly and lawfully
2. Only for specified purposes which are clearly understood
3. Data should be adequate for the purpose but not excessive
4. Personal data should be accurate and kept up-to-date
5. Kept for no longer than necessary and deleted when no longer necessary
6. Processed in accordance with the rights of individual (the Data Subject e.g. the person whom the data is about)
7. Kept secure and safe, with policies and procedures in place to ensure this
8. Not transferred to any country outside the EEA (unless they have a level of Data Protection legislation which is up to the same standard)
Looking at the 8th Point you might be considering that Brexit may trigger the over ruling of GDPR regulation? This is simply not the case.
Firstly, GDPR and Brexit are not happening at the same time, in fact the GDPR comes into effect before the UK officially leaves the European Union on 29 March 2019 and even after the Brexit an equivalent set of Data Protection Regulations need to be in place to continue trading with the EU.
Secondly, the British govt is apparently considering something similar to GDPR for UK based businesses that only deal with UK based citizens.
So the first thing you need to do is to register with ICO if not done already by visiting https://ico.org.uk/registration/new.
The next important thing is you need to start to develop and plan, you need to start now to have people actioning a GDPR compliance implementation project.
What is Consent?
After the GDPR comes into force you can only hold the personal data of individuals if you have gained their consent lawfully. This leads to the question, why is consent needed in the first place? and why GDPR makes it compulsory?
The simplest answer to the question is that the new regulation is designed to protect the rights of the individual therefore,
Consent must be:
1. Given Freely : - The consent must be given freely which means you need to specifically ask for consent and allow the individual to decline to give it.
2. Specific: - If an individual consent`s to be on your mailing list to receive special offers you can’t send them an email about anything other than special offers. You can only use their data for the reasons they have consented to. This means for different activities you would need the individual to consent for each request separately. Consent can no longer be implied because it is mentioned in your website terms and conditions.
4. Unambiguous : - You cannot vaguely ask when gaining consent. You have state the specific the reason you are requesting the data consent for.
What is Data Subjects Rights ?
GDPR gives the customers or Data Subjects the rights to obtain: -
1. The purpose of processing of their data
2. The categories of personal data concerned
3. The details of who will receive their personal data and if it is visible, if that data is shared with third parties and agreed to those third parties receiving the data.
4. The period for which the data will be stored.
5. The right to erasure of personal data or restriction of processing of personal data concerning the data subject.
6. The right to lodge a complaint with a supervisory authority
What must you do?
You need to document how you comply with GDPR. You must be able to report data breaches and how you maintain data privacy and security. It’s your responsibility to keep data safe and ensure that any third parties maintaining data also have safe and secure processes. Many people think that keeping documents or data on the cloud would make them GDPR compliant. Cloud storage in isolation a solution to GDPR. You need to be able to manage consent, save a record of that action and maintain access to enable the rights of individuals. For example, if an individual requests to access their data to clarify what information you are holding, what process or structure do you have in place to manage that? There can be no charge for this service and you have to complete the request within thirty days.
What you need is a data management system (Smart CRM) that manages and records all customer communication including emails, texts and phone calls, as well as correct consent at each point in the customers journey. A complete history is automatically maintained thereby ensuring a complete and effective audit trail. Additionally management controls of data held can help you avoid data breaches, by organising how data is accessed among your team and at what level .
GDPR Data Safe offers the one stop solution to all your Data Protection needs and is the latest enterprise business software from Market Visibility.
The system is easy to use with screens that allow you to send emails and texts broadcasts at the touch of a button. Then take customer consent and the details stored in the unique customer history.
There is a template manager where you can simply create a new email template or edit an existing email template. It is easy to setup the forms or letters you commonly use in advance, so quick reply`s take no time to action.
When a email is requested to send the system then takes control and actually sends the emails and records the actions in system history. It is very easy to later retrieve the records by using a simple search mechanism which makes updating or deleting any customer data requests easy and GDPR compliant.
It would be great to demonstrate how our software can work for you to take Simple Steps to compliant customer communication
0282 003 2280
Submit us an Enquiry.