Last week, Phil’s blog summarised the new GDPR regulations, which are applicable to all businesses from May 2018, and the implications for you and your business. These new laws significantly raise the bar on the legal requirements for both how you communicate with customers and how you look after their personal data.
The GDPR focus on four key areas:
Privacy: Telling your customers that you use their data responsibly is not enough. They have the right to view the information you keep about them and can ask you to update or delete it. You need to be able to provide a credible and complete response to any request from a customer and send them copies of the information you hold against their name.
Consents and Controls: You need to protect your customers’ personal data using appropriate security and only use it with their consent. Their consent needs to be specific and requires a positive opt-in. You cannot use pre-checked boxes or any other method of default consent.
Transparency: You have to provide clear notice of data collection and have clear policies relating to the data retention and deletion, with specific use cases.
Training: You are expected to train your staff in the implementation of your GDPR policies and, if required, appoint a Data Protection Officer to provide specialist over-site.
Implementation
All this might seem familiar as similar requirements have existed for some time but now the consequences and penalties for not complying are considerably higher. Legislators are shouting louder to get your attention and it is probably wise that you take notice as they will be incorporated into UK law after Brexit.
Some obvious questions follow from the above:
-
- Do you have an up-to-date customer database? If so, does it record when and how you got permission to use cookies and/or market to them? Do you store evidence to prove that they have given you permission? Do you have a process for making sure that all customer data is captured in a consistent and coherent way with an audit trail to demonstrate that to others?
- Do you have a process for replying to personal data requests that not only sets out how you will do it, but ensures that all data is captured and that you have responded in a timely fashion?
You might think that this seems like big business bureaucracy and is not important to a small business like yours, but the regulations apply to all businesses. Unfortunately, small businesses are naturally disadvantaged in dealing with this sort of requirement, not just because they are small, but because they tend to be less process-oriented and less in control of the sort of detail that is now required.
Most ‘best practice’ business activity requires a degree of discipline and attention to detail that does not always come naturally to entrepreneurs, so this is going to be a challenge for many of you. You can think about it as introducing a similar level of care, attention, and discipline, to customer data as you are already required by law to apply to your financial data.
You have a choice.You can ignore it all and hope that you won’t get caught, or you can start to think more about processes in your business. Some useful GDPR resources are available online, but if we can help in any way, feel free to contact us on +44 (0) 1932 450 654, or using the form below.