When your line of business is u-bends, bricks or boilers, complex data legislation can feel uncomfortably outside of your area. Yet if you’re not remotely ready for GDPR, you’re not alone. A staggering 97% of all businesses, not just trades-based, say that they’re ill-prepared for GDPR.
Here we cut through the complexity to explain exactly what you need to know (and do), in order to be fully prepared for GDPR.
GDPR: A Quick-Fire Overview
The countdown is on – the EU General Data Protection Regulation (GDPR) will be set in legal stone as of the 25th of May 2018. Designed to replace the now out-of-date Data Protection Act, this legal framework sets out new responsibilities for companies and the ways in which they collect, use and store their customers’ data. In the simplest sense, your customers – new and old will have more rights over the personal data you hold on them.
As for the cost of getting it wrong – this could be as much as €20 million or 4% of annual turnover (whichever is higher).
You should also be aware that you could face civil legal action if your customers have been made to suffer due to your GDPR breach – this could be for material damage (such as damage in terms of financial damage) or non-material (such as distress).
First things first: What is ‘personal data’?
Personal data includes…
- Name, age, address
- Identification photo
- Email address
- Bank details
- Social media logins and updates
- Location details and IP address
- Medical information
- National insurance number
- Passport details
Eight Rights to Be Ready For
The following rights apply to everyone from past customers to prospects who have filled in a contact form on your website…
- The right to access: Anyone you hold data on will be able to ask, and are legally entitled to receive, their personal data – free from charge and via email if requested.
- The right to be forgotten: Customers will be able to instruct you to delete their personal data, and legally you must comply.
- The right to data portability: Your customers will be able to request that you pass over their data to another business – so you should ensure any work notes and invoices are robust and ready to go from your server/computer.
- The right to be informed: You’ll also have to inform your customers about when you’re gathering data, as they must opt-in to their data being stored.
- The right to have information corrected: You’ll have to correct any out of date, incomplete or incorrect data if instructed to do so by your customer or prospect.
- The right to restrict processing: Individuals will be able to instruct you not to process their data (such as for marketing purposes) – but you can continue to store it.
- The right to object: This right will mean individuals can request that you don’t use their data for direct marketing (such as sending mail, telemarketing or emailing). As soon as you receive a request such as this, all data processing must stop. You must also make this right clear at the point of collecting the data (such as on your website contact form).
- The right to be notified: Finally, you must let your customers know if your system has been compromised (such as your website or email being hacked) within 72 hours of being aware.
Old data? You’ll need to have a spring clean
Got a computer full of past customers’ data from the past two decades? You’ll need to delete any data that you no longer reasonably need, or data that you’re using in a different way today, as compared to the reason you collected it for (such as for sending marketing letters, when an address was collected to complete a project).
Feeling more prepared? To complete your GDPR overhaul, you may now want to download the ICO’s 12 step strategy for GDPR.