The implementation date has been and gone and whilst there was a lot of unnecessary panic and worry it is clear that since the hype of it all, many businesses are failing to implement simple practices to ensure they continue being or ever were GDPR compliant.

We are often asked by our clients, ‘will this document make me compliant’? The short answer is ‘no’.

A privacy policy on your website does not automatically make you GDPR compliant, using a GDPR compliant website or an email marketing platform that is GDPR compliant will still not ‘make you compliant.’  Yes it may be secure, encrypted and all that jazz but as a data controller you still need to process that data correctly.

Unfortunately, the internet is still overloaded with GDPR compliance stuff that isn’t exactly always correct and understandably this can be super confusing for any business owner.  My advice would be to look at the source – are they credible?  If you prefer 1 on 1 advice, speak to someone you trust in a professional capacity and someone who can simplify it so you completely understand how it applies to you and your business, not the world in general.

So how does it apply to you?

Remember

Personal Data as a definition, has become wider – so any information that can directly or indirectly identify a person is now considered as personal data.  So that’s names, photographs, telephone numbers and emails.  This includes business emails such as mine, hazel@bebconsultancy.co.uk, but not our generic info@ address.

It would be a good idea to ask yourself these simple questions with the current personal data you hold in mind:

  • How did you collect this data?
  • What is your lawful basis for processing this data?
  • Where is the data stored?
  • How old is this data?
  • Is it sent to or used by any 3rd parties?

These answers will help you identify weak spots in your data handling and will highlight whether there are any issues with it.  If you’re not sure how you collected the data or whether you asked for consent or not, then that’s clearly an issue that needs to be looked at.  By getting an overview of the current data you hold and how you use it, you’ll be able to see which areas need improvement to become GDPR compliant.

Bear in mind, it is only lawful to process data in certain circumstances and you need to be clear on what your basis is for each set of data you’re holding.  If you have a contract with someone, for example, it is lawful to use the data to fulfil your obligations under that contract – this would include your employees, customers and suppliers.  It is also lawful if you’ve obtained consent from the individual.  Just make sure you are clear on what basis you are using.  Take a look at the ICO website if you’re not sure – they have some useful guidance.

It’s a good idea to delete unnecessary data and depending on how long your business has been operating, it is likely you have a lot of data stored in various places that you no longer need.  By cleansing your database, not only will you be more focused on who your real prospects and customers are, you are also reducing the risk of any breaches.  You also have an obligation under GDPR to keep your data up-to-date, which is just about impossible if you’ve had it for decades.

An easy job to do is to make sure you have a privacy policy on your website.  You need to be telling data subjects how you manage their data, your lawful reasons for processing their data, any marketing you’ll be sending and how long you will hold on to their data for.  You also need to inform them of their rights.  A privacy policy can cover all this.

Marketing is probably the biggest worry surrounding GDPR, although the majority of the rules around marketing are covered under the Privacy and Electronic Communications Regulations.  The GDPR does not replace PECR – although it has widened the definition of consent.  You need to comply with both GDPR and PECR for even your B2B marketing.  Again, consent is not the only way to market but you do need to be clear about what lawful basis you are relying on.  Consent must be freely given (so no pre-ticked boxes or schemes to build a marketing list); this means giving people genuine ongoing choice and control over how you use their data.

Consent should be obvious and require a positive action to opt in. By saying ‘Enter my competition with your email address but by doing this you agree to all future marketing’ is not a positive opt-in.  I would also be very clear in any emails you send about why you are sending this email ‘You are receiving this email because … ’. Not only is it being clear and transparent (another principle) it is excluding the possibility of the recipients complaining about your method of contact.  The email may be perfectly legit, but by saying why, it is avoids any misunderstanding and appearing like you have ignored GDPR all together.

If it’s still all too much, give BEB a call for some sensible, jargon-free, practical advice!

hazel@bebconsultancy.co.uk / 01604 21765

 

About Hazel Napier

Hazel NapierI've been with BEB more or less since the company started 10 years ago and we've built a team of 5 of us, who all love terms and conditions! We help all sorts of businesses get their ts & cs and business contracts sorted - whether that's writing new ones or starting from scratch.