You may have heard that a new law concerning data processing will come into force later this year. But what does it mean, and how will affect you and your business?
We’ve been putting our heads together over the last couple of months to make sure that everything we do, both internally and for our clients, is in-line with the new requirements.
We’ve collected some of the main points below, and although this is by no means an exhaustive list of the changes that will be implemented under the new GDPR law, we think it’s a pretty good starting point.
So what is GDPR?
The introduction of GDPR on 25th May 2018 will be the most significant change to data protection law in recent years.
Following extensive work by the EU to bring data protection legislation up-to-date, the General Data Protection Regulation will change the way that data is processed, stored and used.
Does this affect me?
Yes, this will affect every business that processes data. As the business owner, you are a data controller – your web developer (that’s us if you’re one of our clients), your hosting provider and any third party marketing tools are all data processors.
This means that as the data controller, you are responsible for the personal data that you hold about your customers.
What do I have to do?
- It’s a great idea to choose one member of staff within your organisation to look after your data protection policy and implementation. This is only a specific requirement in certain circumstances but will be helpful to have one main contact who fully understands your new obligations.
- Organise an information audit. You’ll need to know where the data you hold for your customers has come from, how permission was granted (e.g. direct sign up to mailing list) and who you’re sharing it with.
- Update your privacy policy, both online and internally. This must be clearly displayed on your website and be easily accessible to customers. Specify which information you are collecting, where it’s stored, why you need it, what you’ll do with it and how long you’ll keep it for.
- Remove all automatic opt-ins on your site. All checkboxes must be un-ticked and must not be a requirement for purchase or form completion.
- Only collect customer information that you require to run your business. Any information you hold must be protected so delete any personal details that are no longer in use.
- If you’re handling sensitive data, make sure it’s encrypted. This is good practice anyway and something that we advocate for our clients as standard, particularly through the software and platforms we use.
- Have a data breach plan in place, just in case.
- Evaluate your marketing strategy. If IGOO handle aspects of your marketing for you, we are aware of the various aspects that may come into conflict with GDPR and will be contacting you directly to outline any changes.
- Under the new law, you are unable to send unsolicited emails to anyone. That means that any email marketing lists that have been purchased are no longer usable and could land you in serious hot water. Having a clean up of any subscriber lists will be necessary before 25th May.
Some other sources/articles we recommend having a look at:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/