by David Brice – Pro Membership Tutor
GDPR – Why the change
Whether you like it or not everyone operating with customers based within the European Union (EU) must comply with the General Data Protection Regulation (GDPR) with effect from 25th May 2018.
Companies from across the world must comply with GDPR in order to do business with EU customers otherwise they risk heafty fines.
The idea behind GDPR is to bring our data protection laws up to date for the digital age. In the UK the last major overhaul of Data Protection laws was some 20 years ago when we all thought ‘the cloud’ was something that rain fell from, not a data storage unit accessible from anywhere in the world.
It’s also to recognise that under the current rules your data, contact details etc can be passed around between marketing agencies and such like without your consent. I for one will be happy when we can insist that our data is removed and forgotten by those agencies saving those pesky nuisance calls.
I’m in the UK, can we forget GDPR after Brexit?
No – The UK Government has confirmed that the provisions of the GDPR will be adopted into UK law regardless of Brexit.
Does it affect tiny businesses?
Yes – Any business that holds personal data on individuals (customers) must comply, regardless of whether that company has collected the data or the data has been shared between businesses.
I don’t store electronic data, does it affect me?
Yes – No matter how you store data you become accountable for the management of that data. The GDPR applies to data stored both electronically and in hard copy.
What do you need to do?
Now that you can see that there’s no getting out this, the new regulations will be fairly straightforward assuming that you are already complying with the current Data Protection regulations.
Here are my suggestions on what a small cake business needs to do to comply with GDPR:
- Only request the data that you require to complete the task
List all the data fields that you hold for your customers then consider is every piece of information really necessary.
- Clarify with your customer why you are collecting data and how you will use it
If taking the order face to face or over the phone then you can have a short sentence to explain that the information provided will be in compliance with the GDPR.
If your business wishes to share the personal data which they have collected, they will also have to obtain express consent to do so.
- Pre-ticked opt-in boxes are no longer an acceptable means of using the data provided
Any customer who has been included on a mailing list by a pre-ticked box must be contacted and asked if they would like to remain on that mailing list. If a customer asks to be removed, you must comply with their request. If the customer does not reply to your request, they also must be removed from the list. No customer can be contacted for marketing purposes without giving express consent to this contact.
- Have the following processes in place:
Under GDPR your customers have the following rights:
- to be informed – of what information you hold and why (see above)
- the right of access – you must be able to disclosed all the data you hold on a customer, free of charge.
- the right to rectification – where incorrect data has been given and you have passed it on, it’s your responsibility to inform the receiving party of the correction or deletion.
- the right to be forgotten – your customers have the right to have their details ‘forgotten’ and you must comply. There are very few exceptions and none I can think of that would apply to a cake business.
- restriction of processing – where a customer contests the accuracy of data you can still hold some information, but must be specifically for the task in hand.
- data portability – a customer can authorise that you port the data you hold on them to another party.
- the right to object – customers have the right to object to unwanted communications and you must cease immediately.
- Check your security
When providing their data your customers have the right to know that it is being stored securely. There have been some high profile and embarrassing leaks of data, but once GDPR is in place anyone leaking or losing data can be very heavily fined.
- Do you need to register with the ICO?
Depending on how you store data and how you use it you may have to register with the Information Commissioner’s Office. It’s unlikely, but worth checking your specific circumstances using their Self-Assessment form.
- What if I break the rules?
Reach for a large glass of wine! Joking aside, if you discover a data breach or that you have broken the rules, in the UK contact:
Information Commissioner’s office (ICO) on: 0303 123 1113 or https://ico.org.uk/
If you have a website…
As mentioned earlier you are to ensure that opt ins are clear, separate and distinguishable from other sentences that the customer might be considering.
You must also update your website’s Terms and Conditions to take account of GDPR.
Finally, but importantly, your website must include a Privacy Statement. ICO have kindly provided an example of a privacy statement for you to use.
If you have staff…
Employees should be made aware of their rights under the GDPR, particularly with regards to their consent to their employer in gathering personal data.
You will also want to include a note on GDPR in the welcome pack for any new employees.
There you go, it wasn’t that painful was it! So long as you apply the points above you you will be compliant. However, it must be said that this has just been a brief overview and there’s plenty of additional information out there.
The Information Commissioner is responsible for the management of GDPR for the UK and there is lots of useful information on their website: https://ico.org.uk/
If you are still unclear, then seek professional legal advice.