If you own a business in the UK, or your Canadian business does business with any country in the EU, you’ll need to take action.
The new GDPR legislation is coming into force on 25th May 2018, which affect the use, acquisition and storage of personal data of any citizen or resident of any member state of the EU.
This applies regardless of where your business is based.
So, if you sell goods or services to Europe, even online, you need to take notice and act now.
GDPR - the panic and the reality
The European media are, frankly, rather making a meal of GDPR. This is mainly fuelled by the fact that each national data authority can now levy enormous fines on businesses that fail to act on serious data breaches and other data loss.
However, most of GDPR is actually common sense. Much of it is already enshrined in most EU member country’s data protection legislation already. What GDPR does is create a standard set of requirements for the EU, and enables individuals to ‘own’ their personal data.
Accessing GDPR information
The original EU legislation document is a bit dense but the UK Information Commissioner’s Office (ICO) online information is easy to read and includes lots of useful tools. You’ll need to set aside several hours to read the information and work out what your business needs to do to comply, so put a jug of coffee on first!
What is personal data?
Personal data is any information relating to an identified or identifiable real person. This includes their name, birth date, mobile device IDs, email addresses (yes, even their work one), social media posts, photos, and much more.
The core principle of GDPR is that every individual own their personal data, NOT the business or company that holds those details on their database. GDPR gives the individual, known as the Data Subject, various key controls over their personal data, including:
• Right to Access
• Right to Erasure
Businesses and personal data
As a business owner, you probably already hold a lot of personal information on your clients, customers, prospects and suppliers. Nearly all of it would be for the purposes of doing business with them, either in the past or the present. As GDPR states:
“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
GDPR requires any organisation or business holding such data to decide why they need the data and categorise it under a “lawful basis of processing”.
There are six of these lawful bases, and once you’ve chosen one, you need to stick with it. You can have lawful bases for different data you hold. So, you might choose one for your customer details, and another for data gathered for a competition or similar. The important part is that a business must make clear at the time of data collection what that data will be used for, and therefore which lawful basis it comes under. Once data is collected under one basis, it can only be processed for that basis. It is not transferrable.
Personal data consent
Consent is another core principle of GDPR. Consent from an individual to use their data must be:
• Freely given - i.e. they must have a choice NOT to give it
• Specific - the business must make it clear why they are asking for the data
• Informed - the individual knows the purpose their data will be used for
• Unambiguous - there must be a “clear affirmative action” that individuals do to give consent
If you’re getting lots of emails asking you to ‘reconnect’ with mailing lists and businesses who send you marketing information, newsletters, etc, this is the reason why.
In the past, some businesses had pre-ticked the “Send me your marketing information” boxes on their order forms. An individual had to de-select this tickbox to ‘opt out’. This is not allowed anymore. GDPR requires a “clear affirmative action” to give consent to their data being used. They must actively “opt in”, and tick their own box!
For example, if your business did a prize draw and didn’t give entrants the option to choose to be sent marketing material (or not), you will need to ask for entrants who are now on your mailing list for specific consent to send them stuff in the future. Hence the emails.
GDPR: actions your business needs to take
Once you’ve read all the information, you might feel a little overwhelmed (we certainly did!). Luckily, the UK ICO have produced a document entitled “12 steps to take now” which guides you through exactly what your business needs to do to be compliant.
One of these is that data subjects now have the right to ask what data your business hold on them, and see it in a easily accessible format. This may include access to their Account data on your e-store, or a printout of your database entry. Providing their request is reasonable and they don’t keep asking time and time again, your business must provide this information for free.
Whatever data you store, it needs to be secure. With the advent of cheap storage, most businesses has probably got a lot more personal data that they need to keep. This is potentially stored in various locations including cloud storage, old hard drives, old backup tapes, printouts, etc. The aim of GDPR is to reduce the risk of data breaches, and that includes the principle of ‘data minimalisation’ - only keep what you need, for as long as you need to.
Just to say that Akira Studio store all our client data using high end encryption, and the same applies to any Akira Studio built website and email system. Websites are constantly monitored and only hosted in your country of operation. If your website is more than five years old, you should consider upgrading it to a newer one for better security including SSL, and improved performance on mobile devices too. Call us to discuss your requirements.
If you already use an email mailing list, and even if everyone on it has given their consent, you’ll need to ensure the Unsubscribe message you feature on all marketing emails is GDPR compliant. Data subjects must be able to opt out of mailing messages every single time they receive one. So make sure this is clear and consider using an external bulk emailing service such as MailChimp, which offer automatic list management.
GDPR and Akira Studio websites
If you have an Akira website, there are three key elements you’ll need to look at in the light of GDPR:
1. Your contact form
Any sign-up forms should be written so as to establish unambiguous consent, such as a checkbox with the words, “I would like to receive email newsletters from (your business name here).” Never use a pre-ticked box!
It’s not a requirement of GDPR, but some business groups advocate the use of mailing terms and conditions. For more details on these, and some example mailing list forms, see this White Paper.
Template GDPR policies
Since every business will use their data slightly differently, Akita Studio can’t create or offer a ‘template’ policy text. Your business will need to write this yourselves. Again, the ICO has some great advice on writing your own.
Confused about how to change or update your website for GDPR?
Call us. We’re always happy to help!