GDPR: How to Ensure You’re Compliant

GDPR, four letters that might induce anxiety amongst small (or even large) businesses. It doesn’t need to be that way. Yes, the prospect of a substantial fine is scary. Yes, there might be more legwork involved. However, there are considerable benefits to ensuring your organisation is GDPR-compliant. Leaner databases made up of those who are much more likely to engage, for one. Plus, a competitive edge over those who aren’t sensitive to, or respectful of, people’s data. Given that it’s Data Privacy Day, we thought it would be handy to put together a checklist for ensuring compliance – one that’s (hopefully) easy to digest. Read on for the CRYSTLSD checklist for GDPR-compliance…

✅ Understand the basics

What is GDPR? What does Personal Data even mean? What about Brexit? All very valid questions that everyone in your organisation should be able to answer. Firstly, GDPR replaced the Data Protection Act in May 2018. Secondly, the legislation aims to harmonise data protection laws across the EU. Thirdly, it’s a good idea to remain compliant in spite of Brexit. Why? Because even after Brexit comes into effect, it is likely that the current regulations will stay in place for some time before being replaced by new, domestic legislation. With regards to ‘personal data,’ this essentially means any information that could relate to an identifiable human being. So: names; email addresses; phone number; addresses, and so on.

✅ Look back to move forward

Sounds a bit, well, backwards but it’s worth looking at your existing processes and policies to improve your level of compliance. First off, carry out an information audit. In Plain English, this involves: looking at how you use personal data; looking at how said data is collected and stored; considering who can access it and, finally, looking at the security measures in place to protect it. Only after you have assessed where you are right now can you begin to plan how you’re going to move forward.

Look at the security measures you already have in place

Look at the security measures you already have in place

✅ Consent: A short overview 

According to the GDPR, consent is a written or oral statement ‘given by a clear affirmative act establishing a freely given, specific, informed and unambiguous’ indication of agreement. In addition to this, there are six legal grounds through which you can process data. You can find them over at ICO. In summary: if the individual has given consent, fine; if it’s necessary for your organisation to comply with a legal obligation or for the performance of a contract, say, also fine; if it protects the vital interest of the individual or is in the public interest, again, fine. What’s interesting, from a marketing perspective, is the processing of data for direct marketing purposes. Namely, that direct marketing is specifically referred to as a legitimate interest, providing the relationship between the data controller (you) and the individual is ‘relevant and appropriate’. Of course, there needs to be a balance between the company’s interest and the rights of the individual, and consent needs to have been given. Even still, for marketers, this is a sure-fire win.

In direct marketing, there needs to be a balance between the company’s interests and the individual’s rights

In direct marketing, there needs to be a balance between the company’s interests and the individual’s rights

✅ Pep up your policies

Your privacy policy is important. Why? Because it’s your go-to if ever you need to evidence your compliance. A good privacy policy will tick two boxes: it will be sufficiently comprehensive so as to inform the consenting individual, and it will be sufficiently clear that they can understand it. Be sure to cover the individual’s rights i.e. the right to be informed; to access; to erasure; to rectification; to processing; to data portability, and their right to object… and you’re well on your way to a solid policy. With regards to statements, it’s advisable to have formal guidance in place on what users should do in the event of a security breach. As ever, the key here is to be clear, unambiguous and informative.

✅ And finally: A note on SMEs

If you’re a Small or Medium-sized enterprise, you’re in luck, as the checklist for compliance isn’t as robust. As an SME, you don’t necessarily need to appoint a Data Protection Officer; you don’t need to keep records of processing activities, and you aren’t liable to report all data breaches to individuals unless, of course, the breach represents a high risk to rights and freedoms. You do, as with everyone else, have to be GDPR-compliant in all other areas. Luckily, you can refer back to our checklist, above. Handy!

How do you feel about GDPR? Let us know by tweeting us @crystlsdteam