A lot of organisations are now looking at their privacy policies with great urgency to meet the GDPR deadline. If you’ve read our practical marketing advice about copy and pasting terms and conditions (which sometimes also include a privacy policiy), you’ll be aware that there are many companies out there that have policies that do not even apply to them or even name another company!
We’ve seen text similar to the following in a lot of policies we’ve looked at:
“Transfers outside the European Economic Area
Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA)”
Okay, this could be fine, but then there’s usually more:
“These countries may not have data protection laws equivalent to those in force in the EEA.”
We’ve actually seen this exact wording whilst auditing websites and this is not good. Generally, data should not be transferred outside the EU. If it is, it should only be to a country that has legislation guaranteeing an equivalent level of protection.
It is up to you to ensure your customer’s data is adequately protected. It isn’t enough to notify customers that their data may be sent to a location where it won’t be adequately protected.
The policy mentioned above would then go on to say:
Ensure Your Customer’s Privacy Rights
Efficient email marketing needs us to rely upon a third party to provide the service. By uploading your list of subscribers, you may be transferring data outside of the EU. The most important thing to remember is:
- Make sure the data is held securely
- Make sure everyone on your list wants to be there
In terms of non-EU based services, if you’re using something like Mailchimp, you should be fine as the United States currently has agreements in place with the EU governing the use of personal data that are currently regarded as being equal to the GDPR.
MailChimp are very strict and use safeguards to ensure they are not sending spam emails. To do this, MailChimp use a double opt in method to subscribe new users. A double opt-in is just one way to help prove your subscribers actually wanted to be on your list in the first place, although it isn’t the only way.
You may need to demonstrate that your user’s data is safe, so you can read more about how MailChimp keep your data secure here.
Read more about MailChimp and the GDPR here.
We’ve looked at two marketing specific areas, but it’s important not to overlook our staff, as they also have an important part to play in data protection. GDPR requires accountability, which requires good record keeping to demonstrate compliance. Including staff in GDPR changes is very important.
If you’re using service management software to log jobs and verify completion, you will be gathering a lot of data. Some of it corporate and some of it personal. A lot of the data will be collected by your engineers, including images of customer property.
As with email marketing providers, you need to ensure your service management software provider is GDPR compliant. It’s also essential that your customers understand their data is being kept securely. Employees need to be included in GDPR changes and understand why data protection is important for your customers.
Implementing the Programme
Be honest and up-front about your use of software, how it is stored and what you do with it once it has been collected. This goes for both staff and customers. Making sure your service management software provider will give you your data should you choose to leave them and not use it for their own marketing is an important guarantee to have.
Staff need to understand that your customer’s data is precious. Because engineers will be using mobile devices in the course of their duties, you must ensure they keep devices secure. Your staff should be trained to use passwords to unlock the devices and to log into your service management software app or web page.
Back at the office, your computers should be password protected and encrypted to guard against the theft of data. It can be common practice even, in the most critical of data security environments, to share passwords. Passwords should never be shared between users. Any paper records that are printed should be shredded and securely disposed of.
Have processes for keeping and managing data that is easy to understand so all of your staff can follow them. Keep written records and policies that will show that you are being compliant.
GDPR Evolution not Revolution
Although GDPR is new, a lot of its core philosophies already exist in legislation such as the Data Protection Act 1998. GDPR itself is often common sense and a matter of respecting the privacy of others. Think about how you can keep data securely, use it in a fair manner and be transparent with the people and organisations you hold and process data about.
GDPR doesn’t have to be scary, it’s more of an evolution; a reminder of the responsibilities we have to others. If you’re unsure about how the GDPR affects your organisation, the best place to go is the ICO website, which has lots of guidance on regulation.