Thursday, 1 March 2018

What does GDPR mean for me and my customers?

This week I attended a Chamber of Commerce seminar about the forthcoming GDPR regulations. The presentation was informative and helped to debunk some of the misinformation and scaremongering currently surrounding GDPR.

I have used some of the notes I made during the seminar to compose this article and answer some common questions. I hope you find it helpful.

What is GDPR?
GDPR stands for General Data Protection Regulation. Its aim is to ensure the privacy of EU citizens and to protect their personal data from being abused or misused.

The regulations will seek to stamp out hacking by being more open and encouraging people to report data breaches and other problems.

There has been a lot of scaremongering about GDPR online, so it's important to be clear on where you stand and what you need to do.

If you hold personal data, from customers or employees, you must be GDPR compliant.

When will the regulations be introduced?

The regulations come into effect on May 25, 2018 and will affect all businesses and organisations to some degree.

The requirements of GDPR will not be affected by Brexit and will still stand after Britain leaves the European Union.

In preparation for the changes, you will need to make sure your business is compliant with both the existing Data Protection Act and the new GDPR regulations.

What personal data does GDPR cover?

Personal data includes things like:
  • Names
  • Addresses
  • Telephone numbers
  • Computer IP addresses
  • Photographs
  • CVs
  • Email addresses
  • Passports and driving licences
  • Medical records
  • Bank details

What data will I be allowed to collect?

GDPR will require that you have a valid reason for every piece of data you hold.

You can collect any information, but you must be able to explain exactly why you need and it and how you plan to use it. These reasons and intentions must be documented.

To keep things simple, don't keep any information you don't need.

Is there anything I need to make my customers aware of?

In preparation for GDPR you will need to update your data policies, including your privacy policy and your policies for data protection and data destruction.

The link to your privacy policy must be clearly visible and should ideally appear on every page of your website. If you have an app, your privacy policy should be accessible in no more than two clicks.

Your customers will have a right to know:

  • What information you are collecting about them and how you intend to use it
  • The software you will be using to process and manage their data

Will GDPR stop me from contacting my customers?

The Internet is rife with rumours that GDPR won't allow you to contact your customers. This is not the case, but the rules are changing.

The new rules will be different for B2B and B2C communications.

B2B communications 
Your existing business relationships can continue, but there will be limits on how long you can keep inactive business data.

You can contact business people you meet through networking events and trade shows, but you must give them an easy opt-out if they decide they don't want to continue receiving communications from you.

B2C communications
You will no longer be allowed to send B2C communications for marketing purposes just because you happen to have a customer's email address.

B2C customers must actively opt in to receiving communications from you.

They must be able to specify the kinds of communications they are happy to receive and how they want to receive them e.g. by post, email, phone or SMS.

Again, you must provide an easy opt-out. This should be a one-click unsubscribe and it should be immediate. Customers should not be required to send an email with 'Unsubscribe' in the subject line and they should not have to wait X number of days for the unsubscribe to take effect.

Best practice
If you are holding data for customers you haven't contacted in the last six months and don't intend to contact, it's probably best just to destroy it.

If you have a database of customers you contact regularly, you will need to reach out to them and ask them to re-opt in to receiving your communications.

It is recommended that you acquire consent tracking software so you have a clear record of who has consented to receiving communications and when they consented.

Remember to specify what communications they are opting into and ask them how they want those communications to be delivered e.g. email, SMS, phone call.

How long can I keep my customers' data?

Consent doesn't automatically last forever. So, you cannot keep your customers' data indefinitely — even if they have given their consent for you to contact them.

You will be allowed to store the data securely for a reasonable amount of time — in most cases, six months. At the end of the six-month period, if you wish to continue contacting the customer, you should ask them to re-opt in.

The reasonable time may be extended to 12 months in the case of annual renewals such as an insurance policy or vehicle MOT.

What other entitlements will GDPR give my customers?

At any time, customers can ask for full details of the information you hold on them. This is known as a Subject Access Request or SAR.

Under GDPR you must provide these details in full and free of charge within 30 days, unless you have a valid reason not to — for example, if you believe the request is fraudulent. You must report such cases to the ICO for them to handle.

The Right to Erasure will also give customers the right to have their held data erased from your records. 

Customers will have the right to sue any organisation that doesn't handle their personal data properly and securely. 

What should I do next?

If you haven't done so already, find out if you need to register with the Information Commissioner's Office (ICO).

Not all organisations need to register, but you can check if yours does by visiting the ICO website:

The ICO will work with you to help make your business compliant. It also has an online guide which is regularly updated with helpful information.

You could also look for similar workshops and seminars to visit near you.

Where can I find more information?

Here are some links you may find useful.

No comments:

Post a Comment