On May 25, the General Data Protection Regulation (GDPR) comes into force in all 28 member countries of the EU. And, yes, that currently still includes us here in the UK.
Yet the sky isn’t falling down. The four horseman aren’t saddling up. And, contrary to rumours peddled by certain members of the red top press, that isn’t a boat load of rats you see donning their lifejackets.
But GDPR will change the way businesses which collect, store and utilise data captured from their customers can use it.
Which will be all businesses then.
And if you’re not ready for it, it’s time to make preparations. This isn’t a directive. It isn’t a suggestion. It’s law. And failure to comply can generate a fine of up to €20m or 4 per cent of global turnover.
On the off-chance that you’re reading this from outside the EU, don’t think you’re immune to the long arm of GDPR. If you control or process the data of EU citizens, then GDPR will apply to you.
In broad terms, GDPR is about data permission, data access and data focus.
Did the customer give active permission to have their data collected? A simple tick box isn’t good enough any more. Especially not a tick box that is already ticked.
You must be able to demonstrate that a customer confirmed they were happy to have their data collected – and for the purpose for which it was used. In practice this means ensuring that alongside collecting name, email address, phone number etc, you also capture confirmation that they actively agreed (not, passively but actually did “something”) to ensure compliance.
Does the customer have the ability to view the data you have about them and can they easily revoke that access?
If someone asks to have their information removed, the process must be as simple as the process you used when requesting the information.
Was the information you collected required to provide the customer with the service they signed-up for – and are you using it for the reason they provided it?
Did you really need a phone number when someone signed-up for your newsletter? Probably not, so you’re not allowed to capture it.
And data can only – ONLY – be used for the purposes agreed to when it was provided. So, signing up for the newsletter doesn’t give you permission to email customers about anything else.
Going forward, ensuring compliance with GDPR is unlikely to be difficult for the majority of businesses. Update your capture mechanisms, ensure they’re as focused and granular as possible. And don’t forget to record the method by which they actively opted-in.
And don’t use the data for any purpose other than that originally stated when they signed-up. I know I’ve said that already but it really does bear repeating.
But what information are you going into this “new data world” with? Is what you currently hold compliant with GDPR?
Without an audit trail to demonstrate an active opt-in for the purpose you’re using the data, then probably not.
If you’re looking for a review of your existing database for GDPR compliance or new data capture forms for your web site, then come say hello.
The image at the top of this page is taken from here. All rights recognised and respected. Image may have been cropped to fit the available space.