The new EU data protection law is fast approaching and yet a lot of us are still unsure how it affects us? If you’re an SME business and are yet to act, here are some key points to push you in the right direction:
Data mapping – Know what data you are keeping
The first step when tackling GDPR is to map out what data you keep. Grab a pen and note down all the places where customer and employee data is stored and whom and what programs (such as CRM systems) have access.
In your terms and regulations, set out what client data you keep on file, and for how long; note that if you use 3rd party vendors and need to pass on customer data, it should be included in your terms. An example may be, if you use a courier to send out goods then the customer’s address will be passed to the vendor. It goes without saying this is an essential procedure for you to complete your contract of sale, you should be covered if it’s within your terms and conditions. The same applies with your employees, review the contracts of employment, make sure you are covered for the data you hold on them and checks you may do, such as email monitoring, CRV checks, or social media activity monitoring.
Security agreements – Know that your vendors are covered
Just as you need to protect yourself, you need to be sure your vendors you use are covered too. Obtain a copy of their data protection agreements to make sure they are compliant.
Data retention – Procedure for the removal of data
Data should not be kept indefinitely, formulate a procedure for the removal of data that has surpassed your retention policy. Note that the legal requirements for duration will vary depending on what data you hold.
Email marketing – Consent
Well this is a big subject, there are a lot of ways the GDPR relates to how you obtain data and how it can be used. I won’t be going into detail at this time, but I have 2 essential points for you to be looking at:
- Always have an ‘opt-out’ option of any marketing flyer or email.
- If you obtain a personal email i.e. firstname.lastname@example.org, request that they ‘opt-in’ to receive newsletters before adding them to a mailing list.
Brexit – Will we still have to comply with GDPR after we leave?
Yes, GDPR is a EU requirement, however even after Brexit, GDPR will still be applicable, as we will still have to deal with the EU.
I hope you found these basic tips useful, GDPR is essentially about transparency & accountability for the data you hold.