Preparing for GDPR

Only 38 per cent of businesses, and 44 per cent of charities, say they have heard of the General Data Protection Regulation (GDPR), the Government’s Cyber Security Breaches Survey 2018 found.

The personal data of customers and employees will – that’s everything from names to photos – need to be confidential. This also means that the way people give permission for you to collect their data must be straightforward. So those tick boxes at the bottom of forms need to be unticked and worded in a clearly understandable way for customers to consent to. There’s no more hoping that members of the public forget to revoke consent and no surprising people’s inboxes with whose information has been purchased from other sources. If you have consented to a business using your data, that company must contact you every time they want to use it and clearly state what for.

When Googling ‘GDPR’ there seems to a lot to think about in terms of how to prepare, and lots of speculation on how exactly it will affect different industries. Whilst we can’t say exactly how you’ll be affected, we can advise on what you need to do in order to prove to the Government that you’re taking this new law seriously and taking measures to uphold it.

What will happen if you fail to comply

Non-compliance could result in fines of up to €20m (£17m) or four per cent of your annual turnover – whichever is higher. But we’ve heard that if you have actively attempted to cover yourself, your employees, and your customers, then they may go easy on you.

What you need to put in place

Appointing a data controller or data protection officer that will make decisions on how to collect, store and handle data will work in your favour. This person should take responsibility for GDPR protocols and take action if a data breach occurs. Data breaches should be reported within 72 hours.

You should make checks to ensure the companies and people you work with are also compliant.

Document everything. Any time you come into contact with someone’s personal data, make note of it. Keep track of where it came from, how you received it, why you collected it, and dates of all of these.

If a person asks you to remove or update their data then you need to do so. If you don’t, you are breaking the law. You need to make it easy for anyone to request this by providing clear buttons, forms or contact details to do so. It must be as easy for them to take their data away as it is to give. And they must not unknowingly give their data to you. No more newsletter sign-ups already ticked – they must tick themselves.

Get your team up to scratch. They all need to understand GDPR too. Make sure they understand what a data breach is.

Make your privacy policy known to everyone who deals with you. Add all the ins and outs of GDPR, why you will be collecting data, and what you will be using it for. Remember to update customers you already work with on your new privacy policy. It must be available for anyone to access.

GDPR and Marketing

As Cross Productions and Niche Magazine deal largely with marketing, we understand the vast importance that personal data holds for us and our customers. Like it or not, GDPR will affect our marketing activity.

As stated before, make sure your privacy policy is explicitly clear about why you need people’s data and what you might want to use it for. Your data systems will need to be highly organised and efficient – which can only mean good things in terms of business efficiency and improving your ability to create content that targets a more specific audience.

Since the beginning of the year we have been preparing. We send out a lot emails to let people know about events and new services we can offer them, but now – despite whether they gave us permission to use their data before – they have to re-opt in. We’ve had to send them emails asking if we can stay in touch after May 25. You must re-gain permission and keep your mailing list up to date from now on!

You can find more information here.