By Alex Goodier – ©Alexandra Goodier Ltd 2018
There appears to be a lot of misconception about the General Data Protection Regulation (GDPR). Here are some of the comments I hear regularly.
- It seems like lots of people are ignoring GDPR, I’m going to ignore it also as it will just go away.
- It’s ok to copy someone else’s Privacy Notices, that will keep me compliant.
- GDPR doesn’t apply to me because I only have paper records.
- GDPR doesn’t apply to me because I destroy all of the names.
- GDPR doesn’t apply to me because I write in code so that no one knows the names.
- My web person will do all of my GDPR stuff.
- No one will check on me so why bother.
- I can contact someone to tell them about my services for the first time.
- The government is still making changes, so I don’t need to do anything yet.
- I’m too small for them to pick on, they have bigger fish to fry.
- I have my client’s verbal permission to contact them and I’ve always done it.
- I can post photos of people on my website and social media because we were all at the same event.
I understand why so many have taken this approach, but is it the best way to safe guard your business? The risks may be much higher than you realise. It’s true that the ICO, the regulatory body, responsible for the Data Protection Act and GDPR would prefer not to fine you in the first instance. However, you will need to demonstrate compliance with the principles of the General Data Protection Regulation. Are you aware of everything that is required to demonstrate compliance? How will the reputation of your business be affected if, customers/potential clients/other businesses, don’t feel you are safe guarding their information.
Privacy Notices have become a way to verify if a business or service is legitimate. First, please never copy someone else’s privacy statement. There will usually be a copyright in place. I have had many people tell me that they have copied their Privacy Notice from someone who “must” know what they are doing. When reviewing it, I usually find some if not all of the key areas required by the ICO are missing. Such as the lawful basis(s) and how long the data will be held. Even worse they do not provide the defence that their business requires or understand why they should have it. Approximately, 90% of the Privacy Notices I have read do not comply with the GDPR requirements.
The Data Protection Act 2018 was updated to give the same protection to British citizens as EU citizens. The Data Protection Act has not gone away, it just now has teeth and encompasses the digital world. This means there are still requirements even if you only hold paper documents or just a name and phone number. It also means Brexit will not affect it.
Another area that has significant potential for catching businesses out is the new direct marketing rules which includes social media posts, groups and messages. There is a lot of stricter regulation in this area and it is very easy to get wrong. I strongly recommend you understand how the rules apply to you (even if you are a sole trader and using your personal profile) before you advertise, as this could potentially cost your dearly.
By now, you may wonder why you should even stay in business. It seems like the chips are stacked against you. The truth is there are some safe guards for your business in GDPR. It is very important to know what they are. The curious conundrum is that business owners want their personal data protected and they don’t want to be sold at. However, when they are looking for customers/clients they are happy to sell at them. Would you want your personal data stored the way you store their data? Do you know the rules on holding data? (Please do not just delete the data, without knowing what is required. Some data may be there to safeguard you.) GDPR is not there to stop you doing business it is there to accommodate for the changing world we live in and make your business stronger.
Finally, there is good news. I have created a series of services and training that are cost effective and tailored to the information you need to know for your business.
It is possible to get Tailored GDPR Training for your business (from £59.00), Tailored Direct Marketing & GDPR training (from £69.00), Privacy Notice evaluations (from £40.00), and Privacy Notices, GRPD Impact Assessments, DPIA documentation, and PIA documentation to just name a few.
If you have questions or concerns, please feel free to call me to discuss on 0779 229 3551 or email: firstname.lastname@example.org. Facebook: @AlexandraGoodierLtd