21 Mar GDPR – is your company ready? What you need to know
GDPR – is your company ready? What you need to know
As the introduction of GDPR nears many firms remain unsure about exactly how this tough new data regulation will affect them.
If you are thinking, ‘we don’t deal with data’ or ‘we are not involved with direct marketing’ think again.
The General Data Protection Regulation will affect every organisation that does business in, or with, Europe when it comes into force on May 25, 2018.
Data is not only lists of contact details held on file for marketing purposes, it is also names and addresses, photographs, telephone numbers and email addresses. The sort of information taken frequently and usually given freely when signing in, making an appointment, buying a product, registering for a new service or booking a holiday.
These are the sort of details handed over by customers needing work completed by tradesmen and companies – and by staff when starting a new job.
While the robust new stance on data regulation has been in no small part prompted by the explosion in online data use, the regulation has adopted a catch-all approach.
The main requirements of GDPR:
Clear consent to use and store personal details (this has to be proactive, clear and unambiguous – not a pre-ticked box).
A secure storage system – GDPR insists on ‘privacy by design’, which means data needs to be stored on a system that has been set up with security as a priority.
Easy accessibility – requests to delete, access or transfer data need to be taken seriously and dealt with quickly.
In short if you have someone’s personal data on file you need to prove you have permission to store those details – and for whatever purpose you intend to use them.
Those details also need to be safe. A data security breach or failure to prove consent to use details could land an organisation a hefty fine.
The harshest financial penalty for a breach of GDPR could result in a fine of either 4% of annual global turnover or €20million Euros – whichever is the greater.
What do I need to do?
Update contacts – audit the data you have on file and ask whether it is necessary. Delete or make data anonymous/ pseudonymised that is not compliant. Remove data that is out of date or duplicated – and make sure historic opt out requests have been actioned.
Make forms GDPR compliant
Reassess the wording that is used to ask customers for permission to store and use their personal details. This needs to:
- Be clear and ask the customer to opt in – for example ‘tick here if you would like to receive seasonal promotions’. Boxes pre-ticked for consent are not acceptable.
- Ask for specific permissions for the method of contact: SMS, email, post, telephone.
- Identify for what purposes the data will be used: to send monthly discount offers, product updates etc.
If asking for permission on behalf of a third party – even if part of the same umbrella organisation – this needs to be clearly stated by name along with the purpose of data use.
Responsibility for security needs to be taken at the top management level and cover paper files, staff training and computer files.
Check your anti-virus and anti-malware software security solutions are up to date and adequate. Depending on the data used and the manner of working there may be a need to encrypt emails and add a second layer of security when logging in/ accessing files remotely.
Staff need to be trained to understand their responsibilities under GDPR and it may be necessary for them to sign a non-disclosure agreement.
Where sensitive data is filed on paper this should be digitised or stored securely. This is also a good time to consider the effectiveness of physical security that protects documents and computers.
Organisations also need to check data processors acting on their behalf, such as payment providers, CRM systems etc are GDPR compliant.
Security key actions:
- Ensure staff are trained
- Audit what data is held and identify risks
- Install up to date security software
- Encrypt personal devices
- Ban the use of personal email for work purposes
- Have adequate data back-up systems in place
- Introduce changing and complex passwords
Any data breach needs to be notified to the Data Protection Authority (DPA) within 72 hours.
Will GDPR affect our ability to post on social media?
The responsibility to secure data permissions for personal data used on social media falls to the platform, so when using Facebook, Twitter, LinkedIn and Instagram for example the user has agreed to share details on that platform.
If users like your page this is a great way to maintain contact and share promotions.
However, information shared on social media including handles and email addresses would not be covered by GDPR if taken out of that context, such as if they were copied and stored on a list of contacts. The permission has been given for the social media setting alone.
Employers need certain information relating to members of staff to allow them be employed and paid. However employers do need to seek consent and advise how this will be used. This should be included in contracts of employment ideally.
Again secure storage is important and care must be taken not to ask for excess information just to keep on file. Employees also have the right to ask to see that data and to ask for it to be removed.
For existing employees, firms should issue a new privacy notice reaffirming what data is held and why it is used.
Employers do have the ability to use legitimate interest when processing certain data. Choosing a legal base from which to enact GDPR compliance does affect what approach to take. Consent is only needed if other legal foundations are not met, one of which is having a contract.
Personal details of former employees or applicants should not be kept for longer than stated under employment law. For tax purposes this is generally three years, although it is recommended to hold on to employee records for seven years after they have left in case of any legal action.
In cases where parental leave has been taken this rises to eight years, and 10s years for individuals who suffered an accident at work. Again pension arrangements may need details to be kept on file but this should be the bare minimum.
Where companies have a contract that they need to fulfil, legitimate interest should cover the use of relevant data to allow that to be carried out, in which case the need for consent does not strictly apply.
When contacting previous customers within a reasonable timeframe – such as up to two years – contact without consent should be covered under legitimate interest in regard to commercial benefit. The option to opt out does need to be included in any communication though.
This would not apply to third party contact where the customer has not had contact directly with the company.
As regards previous customer contact details the decision to seek consent is not necessarily clear cut. Organisations can choose to audit data then continue to contact customers using legitimate interest, or they may choose to seek fresh consent for clarity.
This needs to be approached with caution as contacting customers who have asked to opt out can land companies in trouble under existing data laws, with a number of high profile companies having being fined for this.
At the end of the day when it comes to customer contact if you are not sure you can prove legitimate interest, you should probably need to seek consent – but need to do this in a manner that does not breach data regulations by making sure you are not contacting customer’s who have opted out.
If all previous data has been collected in a GDPR compliant manner it should be fine to use, however when seeking new consent, or contacting existing customers those individuals still need to have the option to opt out of future contact.
The optimists among us will ultimately see GDPR as a positive move. For organisations with a legitimate reason to contact customers the need to obtain consent under GDPR is a proactive action – the clients you are contacting are actively interested in your product or service and are more likely to open emails and act on them.
Weeding out the spam will also allow promotions that are of genuine interest to the customer more space to breathe in recipients’ inboxes by enabling those messages to stand out.
In applying the highest standards to your business when it comes to both customers and employee’s data you are underlining your integrity, which goes a long way towards fostering loyalty.