What the BLEEP (****!) is the GDPR?
+ ways to help you become compliant
Okay, before I get started……
**** DISCLAIMER, DISCLAIMER, DISCLAIMER**** I am NOT a solicitor or Lawyer. I cannot give you advice to follow, I am only making you aware of what the GDPR is and pointing you towards some resources to help. I am sharing some ideas with you about what I’m doing in my business…but this may not be applicable to your business. If you need help with this, seek legal advice to make sure you and your business are compliant and to avoid any penalties. This article is NOT legal advice. By continuing to read this post, you confirm your understanding of this disclaimer.
Phew okay… in a nutshell, here we go….
What is the GDPR?
It stands for the General Data Protection Regulation and is a new law (created by the European Union) that goes into effect May, 2018 (only a little over 2 months away at the time of this post).
It is to protect the personal data of EU citizens (and I believe EU residents) and to regulate how that data is processed, used, stored, and collected by businesses. This can mean through your website or any other means of collecting personal data.
Now…..I can hear some of you saying…. “I’m in the US, so this doesn’t apply to me”…..and I’m sorry that I now have to tell you, it does. Again, I am not a solicitor or lawyer, and I have no idea how the jurisdiction works, etc…. but I know the law applies to ANY business that collects, uses, stores or processes any data collected from EU citizens regardless of where you’re based in the world.
I also can hear people saying “We’re in the UK and leaving the EU, so it shouldn’t affect me” W-R-O-N-G…. when this law takes affect (in May, 2018), the UK will still be a part of the EU and it’s expected that they will continue to want to be regulated by it after Brexit. Because, this law is being looked at like the benchmark for future data protection, and it won’t be long before it’s adopted by other countries for their citizens too.
So, unless you’re a super genius that can block EU citizens from signing up to your opt-ins, your email lists, from buying your goods/services (paid or free, digital or physical), from viewing your website, from giving you personal data, from interacting with your contact forms on your “contact” page, then yes, this law does apply to you. And if you’re tracking any user data through programs like Google Analytics, then yes, this law also applies to you (more on this to come…)
What is the purpose of this law?
The GDPR gives Individuals or “Data Subjects” from the EU more of a clear path to be able to obtain a copy of their data you hold, correct or edit the data you hold on them, erase the data you hold on them or remove consent for you to hold data on them. Its also means their data is more secure from data breeches.
As individuals (or data subjects) within the EU, this is great news! It means that businesses have to be more clear about how they’re using your information, how they’re storing it, how they’re processing and sharing it, how safe it is, etc…
As small business owners it can feel like a bit of a nightmare (I had a very very very sleepless night when I first heard about it which wasn’t long ago).
And, some of us will be tempted to think “Awe, they’ll just go after the big companies, not small businesses like mine.” And, you can think that all you’d like, and I can’t say one way or the other how they’ll start auditing businesses or who they’ll target first…..but if you don’t want to be made an example of and you don’t really have the budget to cover a 20 million Euro fine (um…I don’t), then I highly suggest you start making moves to become compliant.
What will this cost me, if I’m not compliant?
I want you to know that the fines are heavy and the fines are serious. The fines are stated as 4% of your annual world-wide turnover (based on the previous tax year) or 20 million Euros….which ever is G-R-E-A-T-E-R. Yes…which ever is greater. They are very very serious about this, so we should be too.
And, let me also mention that it is not the responsibility of your web designer, your hosting company, your employees, etc… to make sure you are compliant. It is YOUR job and your ultimate responsibility as a business owner to make sure you are GDPR compliant.
What is considered personal data?
Data can mean anything from first names, last names, middle names, email addresses, IP addresses, to geographical data. It can also mean sensitive data like gender, religion, sexual orientation, health information, nationality. And it means credit card details, payment details, etc… and I’m sure there’s more (this is not an exhaustive list…remember I’m not a solicitor/lawyer)!
When I first heard about all of this, I started to panic!!!!
I searched all around the web, and whilst I found information in the form of legal jargon, I didn’t find a whole heck-of-a-lot of info I could understand…so, at the end of this post, I will list out some articles I read (remember….it’s at your own risk what information you use to get yourself compliant) and advise you of some of the steps I’m taking to help my business become compliant (again…contact a solicitor/lawyer as your business may have very different needs from mine).
Okay a quick recap….
- individuals have the right to know what data you hold on them, how it is used, how it is stored, how long you hold it, and how it is processed.
- Individuals have the right to edit/change, erase/delete, refuse you using their information (and probably more rights that I haven’t yet discovered).
- You can only use the data you collect for what you say you’re going to use it for when you collect it. An example in an article I read was…. you cannot collect an email address from a contact form on your website that someone used, and then put their email into your email marketing list.
- You must tell the individual how long you will hold the data for.
- You must provide them with contact details of someone in your business that you’ve appointed, as an officer to deal with the GDPR otherwise known as a Data Protection Officer (DPO)…in my case, it’s me…as I’m a one-woman show.
- If you have a security breech (meaning you got hacked…whether it’s your database with your hosting company or if someone hacked your home computer or robbed your house and stole physical files where you hold excel spreadsheets with personal data, etc….), you have to (within 72 of becoming aware of the breech) report it to the relevant authorities. In my case, because I’m in the UK, it would be the ICO (https://ico.org.uk/) ….Google to see what authority you need to report to, if you’re not in the UK.
Now, where do you go from here?
1. Do an audit.
Look over every part of your business to see where you’re collecting data. This does NOT stop at just your email marketing and your website contact form……
When I started doing an audit of my business (and I’m still doing it btw…) I started to realise there were more and more areas that I’m collecting data that I wasn’t even aware of….
Here are some places you may be collecting data for individuals….
- Do you have a contact form on your website? If you do, that means when someone uses it, their details are stored on your database…for how long? Contact your hosting company to see how secure those details are, how long they’re held for and if you need to make changes or delete info, how you can do that.
- Do you have an email marketing platform like Mailchimp or Active Campaign? Yes…even though they are processing your data, you are sending it to them through your opt-in forms, etc…
- Do you use Google Analytics or a similar data processor to analyse the use and behaviour of your site visitors?
- Do you have a WordPress site with Plug-ins? Do any of those plug-ins process personal data and are those processors GDPR compliant?
- Are you using a WordPress Theme? Are they GDPR complaint?
- WordPress itself probably captures data that you don’t even know about. Check this out too
- Your hosting company…how do they protect your database and is it or will it be compliant?
- Do you have your site with a website builder like WIX, Squarespace, Weebly, etc….? What measures are they taken to be GDPR ready.
- Your payment processors if you take payments for any products or services (things like Paypal, Sripe, Square, Transferwise)
- Do you use survey software like Survey Monkey? They may not collect names of your survey-takers, but they may collect IP addresses
- Do you use cloud storage like Dropbox, Google Drive?
- Do you use physical devices like back-up drives, DVDs, USBs?
- Do you use productivity programs like Trello to store data or information you’ve collected about individuals?
- Accounting software like Quickbooks…are they compliant and how do they hold payment/name/address, etc… information about your clients?
- Do you use a third party for landing pages like Click Funnels or Lead Pages? How do they handle the data people input to them for your free/paid opt-ins?
- Social media analytics…like FB analytics or IG analytics, or if you use an IG planning app like PLANN for IG analytics?
- Do you use an online scheduler where clients can enter in their info to book an appointment with you? Calendly, Eventbrite, 10 to 8?
- Do you put data or collect data on individuals at home, in excel on your home PC/Desktop, tablet, phone or back-up drive?
- Do you use business email whether it’s through your hosting company or through something like G-mail or Outlook…because, chances are you’ve stored names/email addresses in your address book, and you have personal data in your emails you want to make sure is secure.
- Do you use a 3rd party for your opt-in forms like Mailmunch (because let’s be honest…the mail chimp forms aren’t always the cutest)? That means you’re collecting data and sending it to them first, and then onto your email marketing processor
- Do you use Soundcloud or youtube for you business?
- Paper files/docs you have at home.
And the list can go on…… really just take an audit of your business and find out where you’re collecting data, how it’s being stored (whether by you or a 3rd party processor), if your data is being transferred from the EU to the US or another country, how long it’s being stored for, and if you can get access to make changes/deletions if you are requested to do so by an individual and how secure it is.
2. Why are you collecting the data?
Now that you have a better idea of where/how you’re collecting data, and if you’re storing it or sending it off to a 3rd party processor, have a look and see what is truly necessary and legal for your business. Make sure you’re using the data as the individual has given you permission, and not for something else.
Go through each area where you’re collecting individual data, and if you don’t need to be using that data, can you delete it?
Get very clear…document why you are collecting this data.
3. For data you’d like to continue collecting…
Look at your 3rd party processors. Go to their sites and find out how they use and store the data you send them. See if they are GDPR compliant, plan to be or if they’re not. If you’re a big BUM coverer like I try to be, and your email marketing (as an example) doesn’t plan on becoming GDPR compliant, then start looking to switch to other 3rd party processors that are. Also find out, if they’re based in the EU or not. If the data is transferred outside of the EU there must be security measures in place. If it’s going to the US, then the US has something in place called the Privacy Shield. Google it if you want more info about that and here’s their link: https://www.privacyshield.gov/welcome
For data you’re collecting (in your Trello board, or excel spreadsheets at home, on your database from your website contact form, on the cloud as some examples) decide…..do you need the info? Is it secure? Are you using it for what the individuals gave you permission for? Make sure you have a very clear path to be able to make changes, delete, erase, etc.. if an individual requests it and to justify it as necessary, if you get audited.
4. GET CLEAR
Oh-my-sweet-sweet-god, we’re nearly there!!!
5. Security Breeches
The GDPR requires you to get in touch if your system (your website, your home computer, your cloud, your personal hard drive, etc..anywhere you hold user data) gets hacked/breeched within 72 hours of becoming aware of the breech. It’s depends on where you live, so Google it, but if you’re in the UK, you contact the ICO https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
6. Upping your security
Try to make the data you do collect more secure. For example, if you’re site doesn’t have a security certificate (you’ll know because you more than likely had to pay for it, and your domain will say Https:) then look into getting that done. Double check the security of your 3rd party processors is high and uses encryption. These are just a few ideas to help you out….not an exhaustive list…
7. Document EVERYTHING
Document everything….so you can show, in the event you get audited or asked by an individual, that you know what data you’re collecting, how it’s being used, where it’s being stored, how long it’s being stored for, and how secure it is.
Phew! I’m sweating over here, it isn’t pretty.
Now…from the time I’m writing this article (9 March, 2018) you have a little over 2 months to get yourself sorted.
And, just an FYI….my business insurance company is offering free legal reviews of privacy policies….which is a great help and definitely in their best interest. You might want to check with your business insurance to see if they offer something similar. —just a thought 😉
Here are some of the links that you may want to check out (please use at your own risk and contact a solicitor/lawyer for any actions you take):
Tell me, have you already started this compliance process?
All my love,