GDPR for SMEs in Plain English

23/05/2018, SEO

GDPR for SMEs in Plain English


 

Video Notes

  • What is GDPR?
    • A new set of EU regulations taking effect on 25th
    • GDPR will also apply to UK organisations and any organisations holding data on EU/UK citizens
    • It governs how private data can be collected, stored and used

  • What is private data?
    • Anything that could identify an individual person – name, email, mobile phone number etc.

  • Is an IP address personal information?
    • Yes, if it can be linked to PII about that person
    • If you are holding data that could allow someone else to identify the person, then the data is PII

  • What will happen if I breach GDPR?
    • You could be fined e20m or 4% of turnover whichever is the greater
    • If you can prove that you have made every attempt to comply it is unlikely that a small business will be fined this much
    • If you ignore it and do nothing – good luck!

  • How likely is that I will get caught?
    • PPI claims – private complaints

  • Who does GDPR apply to?
    • Anyone controlling or processing PII data and anyone with whom you share the data

  • What does GDPR say about how I should use PII?
    • You must use it lawfully, honestly and fairly
    • You must only use it for a purpose in which the person has given permission or would reasonably expect you to.
    • You must not store more data than is necessary for the purpose in which you are using it.
    • The data must be accurate.
    • You must not hold on to the data for longer than it will be reasonably needed.
    • You must protect the data and keep it confidential
    • You must be transparent and inform people what data you will hold on them
    • You must immediately remove their data is they ask you to
    • If their data is breached, you must let them know immediately and make every reasonable attempt to secure it.
    • If you do need to ask permission, that permission must be shown clearly and be specific for each separate purpose.

  • Do I need to re-ask for permission to send marketing emails?
    • Depends how they got on your mailing list.
      • You do not need to ask their permission if…
        • They already gave it and you are still using it in the way that they agreed.
        • They are actual customers who may reasonably wish to hear from you and you are using their data in a way that they would reasonably expect you to.
      • You do need to ask for their permission if…
        • You cannot be sure how they got on your list
        • The way you are using their data has changed
      • If they were never your customer and never gave you permission you cannot now ask for their permission.

  • Actions you should take right now
    • Make sure that any PII is secure and held with a GDPR compliant controller
    • Update the retention period in GA
    • Update your privacy policy to be GDPR compliant
    • Update your cookie message to be GDPR compliant
    • Update your mailing list signup and web forms to be GDPR compliant
    • Check that any third-party plugins/services used by your business/website are GDPR compliant
    • If you are using Google Analytics, Remarketing, cookies, logins or social sharing on your site – ask for permission
    • If you wish to use PII in any way that may not comply with your previous privacy policy –ask for new permission.
    • Make sure that anyone who has access to your PII understands how and when it can be used.