GDPR comes into effect on 25th May 2018 and will change the way we collate and hold personal data.
This is not a normal post from me, and deviates massively from my usual topics of food and allergies! But, these changes will massively impact how this website runs and how I can interact with all of you lovely readers, so I thought it was important to explain what is going to be changing, why, and what differences you'll see!
I spent the afternoon in a training session hosted by my IT team, an HR consultant and a lawyer today. An interesting combination I’m sure you’ll agree, but eye opening for sure.
Some may have heard of GDPR before, whilst others may be completely oblivious.
I fell in the middle of the two until today, and now I’m firmly in the camp of understanding what is involved and the monumental shift that’s about to occur in the way all of us work forever.
Why is this?
Quite simply, it was time for a change. The Data Protection Act hasn’t been updated since 1998. To put it into context as explained to us this afternoon, back in 1998:
- France won the world cup
- The Millennium Dome build got underway
- Armageddon and Saving Private Ryan were the biggest grossing films that year
- ER and Friends were THE television shows of the moment
- Social media didn’t exist
- Only around 20% of households had internet
- A similar amount had mobiles and texting was rare due to the cost
Yep, that made me feel old too! 20 years ago, and social media didn’t exist, yikes!
And the Millennium Dome wasn’t even built…… doesn’t seem possible does it!
So quite rightly, change has to happen. Things have clearly evolved, mostly for the good, but it means there’s a whole load of ‘new’ data that isn’t currently protected and it needs to be.
Enter GDPR stage left!
So what is GDPR?
It stands for General Data Protection Regulations and affects anyone who collates other people’s data in some way.
This can be businesses who run an e-commerce shop, any business that collates data for newsletters, or asks you to fill out a form to then provide a quote.
It also affects bloggers who collate data to build subscriber lists, no matter how big or small their site. And even all those lovely people who leave comments on blog posts!
We ALL need to be able to provide supporting evidence to show consent has been given to hold personal data (name, email address etc) and then prove that the data we hold is kept safe and secure.
On top of this, if we want/ need to retain the information for longer than 12 months, we need to repeat the request for consent every 12 months to comply with regulations. It doesn’t roll over, we need to be able to prove that consent has been given again.
Now for businesses, this is a whole different kettle of fish to bloggers. For bloggers, it will help to streamline subscribers and ensure that those on our mailing lists are active and engaged – the very readers we actively seek. If we have subscribers who don’t ever engage, it doesn’t help us to grow! So, I see this side as a positive for us!
We were given key tips to work to during our training:
- Awareness – making sure that we are fully aware of the GDPR laws, including any VA’s or anyone else we may employ as the onus will be on us to comply
- Information held – we need to be able to show what personal data we hold (such as email addresses, mobile numbers etc), where it came from, why we have it, how we use it, and whether we have permission to share it as we could be audited at any time
- Privacy notices – make sure we have privacy policies in place ahead of 25th May 2018 on our sites and ensuring plans are in place for any changes we need to make
- Individuals rights – we need to be able to show how we would delete personal data, how we store data electronically, and how we protect it and make sure we have a standard procedure/matrix in place
- Access requests – if we are requested access to data held, we need to have procedures in place on how we would handle this, and the timescales of how quickly we would provide the requested information. As an FYI, breaches need to be declared within 72hrs of the breach occurring. Anyone who has signed up to a newsletter can request information on what data you hold on them and request the removal of them and expect to have an explanation of how we would go about doing this
- Lawful basis for processing personal data – ensuring our privacy notice identifies the lawful basis for our processing activity in the GDPR, and being able to explain it
- Consent – this was a huge topic in its own right, throughout the training session! It is the responsibility of us as site owners to review how we seek, record and manage consent and any changes we need to make to ensure we’re compliant. If we haven’t expressly advised that an individual will have their data stored/ recorded we are not compliant and can not lawfully retain the information.
- Data breaches – We are fully responsible for any data breaches, and need to be able to detect, report and fix any. This includes if our sites are hacked!
- Register with ICO - Any one who is processing personal information (be it organisation or sole trader) needs to be registered. To find out more, click here
The key findings to take away
The idea behind GDPR is for us as data collectors to be more responsible with the data we hold.
We need to be able to show that clear consent has been given when people have signed up to newsletters, with a detailed description of what we will do with their data (i.e. – we will email you on a weekly/monthly/bi-annually basis with information on articles we have posted, giveaways etc) so the expectation is set from the very beginning.
Any subscribers we have already will need to be contacted and asked to re opt in/ sign up to newsletters/ re subscribe, and if any don’t, then the data needs to be responsibly deleted.
Legally you’re not able to incentivise to gain consent, such as through a giveaway or competition. People need to be doing so because they want to, not because of any perceived bribe.
Fines for breaches
It was advised that fines incurred would be either 4% of annual turnover or €20million, whichever is higher.
Unlike tax protection insurance, there is currently nothing to protect anyone, and ultimately the advice is to comply or accept the consequences.
We all need to show that we’re doing everything we can to be compliant and remain so.
It was assumed that once we had put policies in place, a matrix would be used to ensure we remain compliant.
For any personal data we hold, we need to be able to prove that consent has been given to use it, and hold it!
Old emails are also affected
Many of us keep old emails and contact details so we can reconnect with old PRs and clients we have worked with in the past.
As this information is classified as personal data (i.e. a person can be identified with this information) it also falls under GDPR compliance and requires permission to hold this information.
A simple way to overcome this is to work into our contracts that permission is granted from both parties to retain information, including email trails, for a period of 12 months with a review at the end of the 12 months.
It is initially a lot of work to become compliant, but once everything is in place, it should be much easier and will simply become a way of our working life.
So, hands up who’s ready?