Clueless about GDPR and customer data protection?

Guest blog post by Rachel Batho – Think Cirrus

What is GDPR?

The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data.

Businesses are collecting more personal data than ever before. But with the GDPR policy coming into effect next year, are small businesses ready to make changes to how they collect, store and use their data?

Could your business take a £310,000 financial hit? Sounds painful, right? That figure is the average maximum cost of a data breach, up from £115,000 in 2014.

Data Protection Act & GDPR: The Principles

GDPR has 8 principles of which businesses need to consider and abide by. GDPR has retained the principles from the original data protection act, but these have now been extended and strengthened. There is some further reading needed around these principles (handy links at the bottom).

The principles are as follows:

1. Principle 1 – Fair and Lawful
2. Principle 2 – Purposes
3. Principle 3 – Adequacy
4. Principle 4 – Accuracy
5. Principle 5 – Retention
6. Principle 6 – Rights
7. Principle 7 – Security
8. Principle 8 – International

According to the Information Commissioner’s Office, the most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.

Article 5 of the GDPR requires that personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) requires that

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

What does this all mean?

So, for small business owners how do we make this real? How do we get our heads around the principles and put real processes in place?  Here are top 5 things to think about when storing and processing customer data:

• OPT IN

This is all about process. You need to make sure that all your customers have opted into your mailing lists and ensure that they are made aware that their records are held on database. As a data controller or business owner you will need to make sure that you have documented proof of opt in. An email, system or process in place which proves consent to hold and use their data.

• OPT OUT

Again – this is about visibility and process. You need to make sure that your customers are aware that they can opt out. Under the new regulation customers now have a right to be forgotten. So, you need to make it easy for customers to opt out and stop receiving marketing communications

• TECHNOLOGY

Take this opportunity to re-evaluate your tech and your processes around collecting data.  For example, in time for GDPR iSalon will be incorporating a new electronic client form which means you can now delete clients. There will also be a new online client portal to manage opt-in, and a new CSV download option for individual client data and many other features to help with GDPR.

Other things to think about include your CRM and email marketing systems; do they communicate with each other? Does all your tech work appropriately with the processes you need to put in place?

• FOLLOW UP & RESPONSILIBITY

The new regulations mean that if you have a ‘request to be forgotten’ you need to act and take responsibility. So, appoint a Data Processor or Controller to ensure that your databases are up to date, you’re storing consent forms and you’re following up on requests. Yes, it’s another admin task. But it needs to be done.

• INTEGRITY

It’s time to start treating people and their data with respect. Ensure that the databases you use are secure and private. Ensure that your marketing activities consider your customers and how they’d like to be treated. What sort of messages would they like to receive and how often? Now is the time to be courteous. Its more than regulation, use this time to re-evaluate marketing communications and technology in your business.

Handy Links

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/

https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

About Think Cirrus

Think Cirrus provides managed IT services. Simply put, we look after all your IT. From PC’s & applications to servers, data, protection and networks. We want to lend a helping hand, so you can focus on running your business.

Think Cirrus believes that every entrepreneur and business owner should invest in smart IT infrastructure. The old way of acquiring tech for your business, piece by piece, just doesn’t work – it’s time consuming and produces far from optimal results. We’ll take care of your IT conundrums so you can run and develop your business more efficiently.

We think differently about managing your I.T. This means we’re able to bring you modern tech solutions in a way that will free-up time for you to prioritise your business.

Small businesses are often led to believe that modern, efficient and robust technology is the preserve of larger corporates.

That simply isn’t true. Working effectively, reliably and securely from your office, venue or home is now possible.

Think Cirrus, based in the heart of Chester, can manage and support all aspects of your IT; desktops; laptops; applications; e-mail; website; servers; data; security; conferencing & networks.