Yes. Yes it does.
As far we’re concerned GDPR exists to create a better customer experience for all customers – something all start-ups must focus on – which is an important distinction business leaders need to keep in mind.
The changes being introduced, while to many may seem onerous, will ensure people get less unwanted communication and that wherever their data is being stored it is safe and stored for the right reason.
A lot of the existing data protection regulation exists to ensure this already. However, the major difference, and this is not to over simplify some very complex changes, is the need to get consent for a specific use of data.
We chatted to our IT supplier and resident GDPR expert Willie Fairhurst from ECS, who is working with us on meeting the regulations, to get his insight.
Here are the top eight areas that you, as a startup or small business, need to consider to make sure you are on track to meet the 25th May deadline. William had this to say to kick things off:
“First up, this is coming and no one who collects personal data is exempt. Brexit will have no impact on this as the British Government have already indicated that our data laws will mirror that of the EU GDPR legislation.
So no matter which way you look at it no one will be getting round this and ignorance will be no defence.”
“Here are eight core principles you need to consider and understand to make the process easier.”
Fair and Lawful
Are you collecting the personal data for a fair and legal purpose? It is incumbent on you as the collector of data to outline why you are collecting each element of personal data and what you plan to use it for.
For instance, if there’s no legal requirement to get a record of criminal convictions then don’t request it. This just becomes additional personal data that could be subject to a breach.
Specific for its purpose
You need to be explicit about the use of the data you collect and the reasons you are collecting it. It is no longer acceptable for companies to include in the small print that data collected can be “shared with third parties” or that “you may receive information from partners”.
As a business you need to provide the customer with the option to agree to the sharing of their data.
Aligned to this is the fact that genetic and biometric information is now considered sensitive and needs to be managed in a similar way. Basically, “why are you collecting it and do you really need it?”
Adequate and specific for purpose
There must be an explicit purpose for holding personal data. Known as “minimisation”, it is a process of only collecting data necessary to complete your business goal. This may seem like a change in approach given the clamour over the last few years to build up as detailed a picture of people as possible.
However, while data is still vital and will drive business going forward, you need to be explicit on how you plan to use it. It might not seem great for marketing teams as this will significantly reduce the size of their marketing database. However, the CTR and open rates should sky rocket as only people who wish to receive marketing information will get your communication, again creating a better customer experience.
Accurate and up to date
As a business the onus is on you to make sure the information you hold on your database is accurate and up to date. It is important you are not trying to contact people using old details – not only is it a complete waste of time but it is also intrusive for those who may receive the communication.
Length of time holding data
This is still a bit of a grey area as there is no explicit direction on the specific length of time, but the regulations have stated for a while that you can hold data for “a reasonable and appropriate length of time”.
You need to justify what this length of time is and why it’s relevant. Most businesses are using two years a rule of thumb to re-engage with customers to make sure they are still happy to remain on their database.
In terms of marketing this is generally six months and when you go back out to customers it is to request whether they consent or not.
Right to be forgotten
This is one of the most significant moves in this change in regulation. Under the new regulations for GDPR you have the “right to be forgotten”. People, within reason, have the right to have all their information deleted from your system. There are situations where there is a legal requirement to hold information on individuals – employee pay records, for example – based on existing regulations. People can also request the transfer of all their information to another system for free.
Safe and Secure
It is the responsibility of the data controller to keep the information they hold safe and secure. This includes managing relationships with other suppliers that you may pass on information to – for example, ensuring they are GDPR compliant. As the data controller you are responsible for the transfer of data and security of it during the transfer. If you have not confirmed the supplier is compliant you will be responsible.
Larger companies (over 250 employees and 5000 personal records) are required to appoint a Data Protection Officer (DPO). For those smaller than this it is a judgement call, but generally having someone managing the process is good practice.
Not transferred out site EEA
Data must not be transferred outside the EU. There is a ‘Privacy Shield’ which can be applied for to enable data to be transferred to the US. However, unless you have the explicit and documented permission from the user to transfer their data outwith the EU you will be in breach of the regulations.
It is important you consider the cost of transferring data outwith the EU as even if you get the permission and there is an issue you will still be held responsible.
Getting ready for GDPR
Willie concluded by saying:
“These are fairly broad areas that need to be covered, but it’s important you take the time to identify how they will impact on your business and take steps to meet the requirements before the 25th May.
As mentioned, it might seem like a bind just now but in the long term it will improve your customer service and increase the efficiency of much of the marketing efforts.”
If you’ve not started the process, or have put it to the bottom of the pile, we would suggest tackling this head on and starting with the areas above.
Chatting to an expert like Willie at ECS will be a great start and will put you on the right tracks.