Unless you’ve been living in a cave somewhere, you will have heard of a new regulation coming into force in a few weeks called GDPR. You may even have dismissed it as something that will only apply to big businesses, but we’re here to let you know that it will almost definitely apply to you too, and you will need to take steps to ensure you’re compliant.
Don’t panic, though, there’s still time to get everything done. We’ve put together a little list of our most frequently asked questions concerning GDPR, and we’ve linked to lots of lovely resources to help you through it.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a new regulation which is coming into force on May 25th 2018 and is designed to increase the protection, security and privacy of personal data for all individuals residing in the EU, and ensure that all companies who control and process data adhere to basic data protection principles.
Who does it apply to?
GDPR applies to anyone who controls or processes personal data belonging to people who live in the EU. So even if your company is based elsewhere, if you hold personal data from people in the EU (for example customers, clients or even people on your mailing list), then you need to take steps to ensure you are compliant with the new regulation.
What is ‘personal data’?
Personal data is any information capable of identifying an individual. For example, names, identification numbers, email addresses, bank details, addresses, etc etc. If you hold sensitive personal data, like information about a person’s health, religion, political views, sexuality etc, then even more stringent rules apply.
What is data ‘controlling’ and ‘processing’?
A data controller is someone who ‘determines the purposes and means of processing personal data’.*
A data processor is someone who ‘is responsible for processing personal data on behalf of a controller.’*
You, as a business owner, will probably count as both a controller and a processor. A company like Mailchimp (which deals with your mailing list) or Google (which handles your website analytics), for example, would be also count as one of your data processors.
*Source: Information Commissioner’s Office website https://ico.org.uk/
What are the basic data protection principles?
The principles are to ensure that the personal data you collect is not misused or mishandled in any way. They are:
- Lawfulness, fairness and transparency – that any personal data is collected lawfully, and that you are completely open and transparent about how the data will be used.
- Purpose limitation – that you only use the data for the purpose for which it was originally intended.
- Data minimisation – that you only collect the minimum amount of data you need to fulfil that purpose.
- Accuracy – that the data you collect is accurate and regularly updated.
- Storage limitation – that you only keep the data for as long as you need it to fulfil the purpose for which is was collected.
- Integrity and confidentiality – that you make all possible efforts to ensure the data you collect is secure, i.e. password protection for digital storage, or a locked filing cabinet for offline storage.
Do I need to ask my mailing list to opt-in again?
This seems to be one of the biggest questions for small business owners at the moment. The answer is that if you collected the data on your mailing list in a way that was already GDPR compliant, then no, you don’t have to get your list to opt-in again. However, if the way you collected the data on your mailing list was not GDPR compliant, then yes, you will need to run a re-engagement campaign to get your list to re opt-in in a compliant way.
Will I need new website privacy and cookie policies?
Yes, you will need to update your existing policies with GDPR compliant ones. You’ll also need to notify your website users when you are collecting cookies (SubHub clients – you can get in touch with our support team for help with this).
Where can I find more information?
We recommend that you visit the Information Commissioner’s Office website and take a look at their guide. You can find all the relevant information there to help you become GDPR compliant.
For some extra help navigating all the information and figuring which bits apply to your business, lawyer Suzanne Dibble is doing an excellent job of breaking it all down into easy, bite-size chunks, and she’s excellent at explaining everything in plain English! Take a look at her GPDR webinar here, and join her GDPR Facebook group here. She’s also offering a GDPR Compliance Pack, which includes all the steps you need to take as well as compliant templates for new privacy policies etc. We actually bought it and we’re working our way through it at the moment – it’s well worth the money.