At the time of writing we are nearly a month into a new era of data protection rights for individuals.
I’ve been talking with micro and small business owners who are extremely worried that either they haven’t taken the necessary steps to comply with GDPR or that they have done some things but are not sure it is enough. If you are one of them you are in good company – there are numerous reports and statistics out that quoting figures and percentages indicating the shocking lack of companies who remain unprepared.
Some extremes include companies deleting their data, trying to repermission all of their database or halting their marketing activity while they stress about who they can and cannot contact – these are high risk strategies as data is the life blood of a company, some repermissioning will be illegal and promotional activity needs a consistent presence to reap reward.
GDPR will impact every company – charity, sole trader, partnership, PLC and Limited company who hold any form of personal data – even more so if you deal with sensitive or special data.
Although most sectors are awash with guidelines and interpretations of the regulations many are still at a loss as to how to proceed. Some companies are even waiting for the first victims to be named and shamed – not wise when your company could potentially be looking at a fine of up to 20 million euros or 4% of total annual turnover.
We all have a day job that keeps us busy – GDPR remains an unchecked task on the ‘to do’ list – you know you need to do it, you know it’s important, you understand the consequences so what’s the excuse.
The time to start (or if you made some progress) to get GDPR checked off your list is now. Of course, this is easier said than done and if you need some pointers as to what to include on your to do list the following will get you started:
- Sort out your clients, contacts and prospects into business and individuals (under GDPR both have different rules about what you can and can’t do)
- Look at what personal data you hold – do your records contain special or sensitive data? (if so you need to beware of the additional obligations)
- Write a Privacy Statement for your business and publish it on your website
- Brief your team on GDPR and ensure they understand your Privacy Statement
- Write an internal data protection policy and train your staff (include this within your staff handbook)
- Decide on the legal basis you will reply on to process data (there are 6 in total and you may need to formally record your reasoning)
- Look at the data you hold and have been hanging on to – do you need it, think about a data spring clean?
- Understand the difference between a marketing email and a service email
- Ensure your emails have the appropriate content as required by PECR
- Set up a GDPR Compliance Folder – we suggest 4 sections to include Customer data, Staff data, IT security and Management (there are a number of documents that you will need to evidence within each section of your folder)
- Implement a personalised and segmented marketing plan that makes the most of your freshly sorted data whilst remaining compliant
- Enjoy the benefits of finally sorting your GDPR
Of course this is a simplified list of what you actually need to do – the detail will be contained within your Compliance Folder. We’ve been working hard on Compliance Folders for our clients, some of which contain around 40 different but necessary documents (statements, policies, procedures, internal definitions and templates). That sounds a lot because it is!
If you want to find out more about what you should have already done you can read the GDPR guidance here or if you haven’t got time to read and understand the 241 pages speak with us – we can help you with your GDPR compliance, staff briefings, processes and procedures.
Call us on 03300 414 550 or say firstname.lastname@example.org