New Data Protection Legislation comes into force (being enforceable) in May 2018. Find out why it’s important to understand what you need to do.
Please note: the information contained on this page does not pertain to legal advice.
Do you have ANY individuals inside the EU on your marketing lists, have sold to them in the past or are actively targeting them? Then GDPR applies to you (yes, even if you’re outside of the EU).
If your business is established inside the EU then GDPR is automatically applies to your business.
So, let’s take a look at what it is and why it’s important to you and your business.
What is GDPR?
GDPR is the General Data Protection Regulations and is enforceable from the 25 May 2018. This means that all EU member states will either have their own individual country legislation passed by this date (and enacted) or choose to use the general regulations as law.
It’s a general regulation, which means that even if the EU member state doesn’t enact a law the regulations are still implemented.
Essentially, GDPR covers any personal data of individual natural persons inside the European Union. So, it doesn’t just cover businesses inside the EU. If your business holds, stores or actively uses data of individual persons inside the EU then the law is applicable to you.
What is personal data?
Personal data covers anything that can identify a person, such as:
- Bank details
- Phone number
It also covers any other element of data that can identify an individual. This can cover a number of things, but let’s just say that an IP address (an address that is assigned to your internet router) is treated as individual identifiable data under the regulations. Yep, complicated.
Why all of the fuss?
There’s been a lot of sensationalism around the fines for companies not adhering to the rules: the likes of a maximum fine increasing to either 20million Euros or 4% of global turnover (whichever is higher).
If we take the UK as an example, the current Data Protection Act of 1998 allows a maximum fine of £500,000. With GDPR this will increase to around £17million, so you can see why a lot of people are taking notice and wanting to become “GDPR compliant”.
Due to this the media is currently running lots of stories about the fines and compliance, with quite a lot of mis-information floating around.
Has there been much media coverage?
There has. Especially in the UK (a perspective I talk from), but that doesn’t mean to say everyone is up to speed with the law and are implementing changes.
The ICO (Information Commissioners Office) in the UK has been promoting GDPR on radio and TV ads
Larger businesses are fully aware of GDPR and have been working behind the scenes for months (some multi-nationals for years). But, a lot of micro or small businesses still aren’t aware of what GDPR is and why data protection is so important.
If you followed the recent Cambridge Analytica/ Facebook scandal then you can see why it is an important subject.
Surely, it’s not applicable to me
If you operate a business inside the EU then it’s applicable.
If you’re B2B then it’s applicable too. (You generally need a person’s email address [[email protected]] or their name to put on the invoice, right? Well, that’s considered personal data under the new laws.)
Oh, and if your business is established inside the EU then EVERYONES personal data comes under the protection of GDPR no matter where they are.
Outside the EU?
There’s a lot of talk by companies outside of the EU that they’re not bothering with GDPR. For most smaller businesses I can understand why: it’s a law by a state so far away that does it really matter. In one thought they could be right. Until the point comes when they are investigated and then summoned in their own country’s court for a violation.
Will that ever happen? Maybe not for a small company, but for one over 1 million revenue a year? I can see it might. Especially if they’re containing to do the same things with personal data that GDPR is trying to stamp out.
What steps should I take?
There are a lot of different ones for you to take to become compliant.
The first is understanding your legal grounds for processing data.
Legal grounds for processing, what’s that?
Processing data under the regulations is considered any “use” or “storage” of data, among other things. That means any storage of personal data on a CRM will be covered.
Any names and emails in your email marketing system are covered.
Any contact forms on your WordPress website or in your email account are covered.
The list is quite endless.
The main thing is that you need to have a legal ground for processing. These include: legitimate interests, consent, legal obligations and contract. There are two others of vital interests and public task, but they’re usually for government bodies, etc.
A main one people are talking about in relation to marketing and online activities is consent.
How does it affect my WordPress website and marketing?
Quite a bit.
If you have optin boxes (such as lead magnets, etc) then it matters quite significantly.
In order to process personal data (and provide a person with the lead magnet) you need their name and email (at a minimum). And, you require consent.
How do you get consent?
Usually through two ways:
- A tick/check box that is unticked/unchecked
- A double optin email
Some argue that the double optin isn’t explicit enough and others argue that you don’t tend to need consent if you’re emailing them in direct relation to the lead magnet they have downloaded, for example (using legitimate interests as the legal grounds).
However, if they receive one or two emails relating to your lead magnet and you then want to send them your newsletter emails or offers on your products or services, then you need to get consent from them if you’ve used legitimate interests for sending the emails linked to the lead magnet download.
Not so complicated, eh? 😉
Is this just about online data?
No. It covers any and all data that can identify a natural person inside the EU (specifically the regulations say natural persons inside the Union).
If your website and online marketing activities only make up a fraction of your business (and the personal data you collect/process) then there will be other aspects to look into and ensure that you have a good understanding.
Employee data & B2B data are covered too
This means that if you have employees then their data is covered under GDPR. There are certain processes you should put in place to ensure that you as a business are compliant, but also that your employees understand what GDPR is and what safeguards are in place to ensure personal data of your customers/clients is protected too.
If you’re in B2B then any identifiable personal data are covered too (as well as employee data). Let’s say you communicate with “Sandra” at company A and you keep a record about how often she’s ordered something and communicate through email. If her email address is [email protected] (or her first and last name @) then that is identifiable information and requires certain policies in place.
These cover anything to do with a person’s sexual preference, orientation, their religion, any health or medical data, and political affiliation (among a list of others).
You will need extra consent (explicit) to collect and store these data (see the GDPR pack below for more details).
What about security/ storage?
Data security is super important.
Right down to the security of your website backups and data contained in an online email account. But, it also includes any data stored on your devices too.
So, ensure your phone or tablet is locked at all times when you’re not using it and that your laptop has adequate security, anti-virus and malware protection (yes, even Mac users) to ensure you don’t have a data breach or a data loss – which isn’t great in the eyes of the supervisory body like the ICO.
You should also be aware about data transfer outside of the EEA (European Economic Area). If you have the likes of Dropbox, Google Drive or Apple then these are companies that store data outside of the EEA. When data is transferred (or stored) outside of the EEA extra provisions are needed (see below).
Data transfer. What’s that?
Processing and storing data outside of the EEA under GDPR is restricted. There are certain steps you must take to ensure that the data you process (which includes “use”, “storage” and many other things) and move outside of the EEA.
There are a number of steps:
12 countries with adequacy findings – a number of countries, including Canada and New Zealand (not Australia though), are deemed by the EU as having adequate privacy laws in place and don’t require anything further than the processors you use to be compliant under local law and have an agreement with you.
EU/US Privacy Shield – if the company in question is located in the United States then they need to be part of the EU/US privacy shield. This is a protection scheme that has appropriate safeguards in place.
Contractual Clauses – if none of the above apply, for example, a US company that isn’t in the shield then you can use what is known as model clauses in your agreement with the processor you are using to store or use the data you have.
Explicit Consent – this is the final stage where each and every data subject (person) must explicitly consent to their data being processed outside of the EEA. It’s not really a great place to be in, but it can be used as a last resort.
As you can see it’s a bit of a minefield understanding things.
Where do I find out more info/ get help?
Having gone through GDPR steps to compliance in recent weeks, and having helped a number of different clients do the same, there’s a lot of misinformation out there and many different people wanting to make a quick buck.
But, Suzanne Dibble, a data protection lawyer in the UK, has a GDPR pack for businesses that is reasonably priced and a lot of different videos to help you become GDPR compliant.
The pack by Suzanne contains many different documents that you might need in order to become GDPR compliant.
If you’d like some help implementing everything in your business, or on your website, then get in touch with me using our contact form on this page.