Relax, it is only GDPR!
So, I am sure by now you have all heard of GDPR – and if you haven’t, where have you been??? – but do you truly understand what it is about, or are you buying in to the panic hype that most small business owners and bloggers are falling into?
GDPR is nothing more than an extension on the Data Protection Act 1998, adapted to the change in how we market our businesses to individuals. Anyone who interacts with the personal data of an individual must comply, regardless of where you are located.
First, let’s look at the two GDPR Myths that have been going around. We will look at the both in this guide.
GDPR Myth #1
It applies to only those in the EU.
GDPR Myth #2
You need to rebuild your mailing list.
About the First GDPR Myth: Yes, it does apply to businesses AND individuals who reside in the EU. But if you are emailing a newsletter to someone in France, you need to comply even if you live in San Francisco.
It does not take much to become complaint, and some businesses are already managing the data in the proper way without realizing it. Let us explain how you can do it too.
Let’s Audit our Data
Since the GDPR legislation applies to data, it is a good idea to understand what is meant by data and where we collect it. Data is anything that can identify an individual, including:
- Physical Address
- Location information
- IP address
Most of this information will be collected via a contact form, Google Analytics, or a number of plugins installed on your website. This is a good time to assess the plugins and 3rd party software you use, and determine if the ones you have are GDPR complaint. If not, a change in plugins/software would be a good update to assure that all the data you collect is kept secure and within compliance at all times.
Keep a spreadsheet, or word doc, of the data you collect and where it comes from – you will need this later!
Check the data you hold is lawfully held/processed
A requirement of GDPR is to only hold the necessary data in relation to the purpose of which it is processed, and to do so in a lawful way.
What is meant by lawful way?
According to Article 6 of the GDPR, one of the following reasons for holding data must apply.
There are more reasons but these are the main ones relevant to SMEs and bloggers:
(b) Contractual Performance: processing is necessary for the performance of a contract to take place between the business and the individual who the data relates to.
(c) Legal Obligation: processing is necessary for compliance with a legal obligation to which the controller is subject. For example, financial reporting obligations, employment records, DBS records etc
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data – such as the individual is a child. Legitimate interest will be an interest in the products you sell, purchasing a product through an e-commerce store and then receiving follow up emails.
Data Audit done, now what?
Now we do what is necessary to be compliant, and smash the second myth.
- GDPR Myth #2 – You need to rebuild your mailing list.
Well no you don’t. If you have previously had individuals sign up using a double opt in process, then that data is compliant. If not, then a simple request to ask them to update their preferences is fine. If they signed up in the process of purchasing a product, then it is classed as legitimate interest and again OK. As long as each email sent has an unsubscribe button clearly seen and easily accessed.
- Check your wording and processes
IT is a simple case of being transparent, and upfront. If you run a freebie, and plan to use that data to send marketing emails – then you need to tell people this instead of assuming this is what people expect to happen. Remove auto opt ins, and make what you are asking consent for is obvious.
Collect only the bare minimum of their data, so if you ask for their data of birth but don’t need it or use then stop asking for it. Inform people in advance what your lawful basis of using their data is, as well as inform them how they can request a copy of the data you hold, and your right to be forgotten process is.
Right to be Forgotten – Whether they email or write a letter to you requesting the information be deleted once you are no longer obligated to store that data. Legal obligations are employee records, or financial recording reasons.
See, not so scary when you break it down to the basics. But if you are still unsure then get in touch with a compliance officer, or someone else in the know who can help you run an audit and make the necessary changes. Please be aware I am not a lawyer, and the above information is what I have done for my business to become GDPR compliant based on a number of seminars and input from those in the know.
Some helpful links
How does the GDPR affect your FB Ads
Shari is a single mum to three children who started a VA business to support her family back in 2012, while still being there for her kids and working around her medical conditions. She loves family time and exploring the local environment, taking plenty of journeys to museums, farms and beauty spots. She love to learn and constantly taking part in new diplomas, certificates and courses on top of her Business Management and Accountancy Degree. Her passion is helping others to obtain their goals and helping business owners to organize their businesses. Her mind is always on the go with new ways to help people, promote businesses and looking for something new to learn. As a Virtual Assistant she can do all of these things and never lose the enjoyment of her job.
Follow her on Twitter @RedRiteUK