Don’t Overlook These Three GDPR Checks

GDPR checks

With the General Data Protection Regulation (GDPR) just around the corner, there are a few things we all need to check before May 25 2018. Here are three key GDPR checks your business needs to be compliant. Is your privacy policy, email marketing, and compliance programme ready?

Privacy Policies

A lot of organisations are now looking at their privacy policies with great urgency to meet the GDPR deadline. If you’ve read our practical marketing advice about copy and pasting terms and conditions (which sometimes also include a privacy policiy), you’ll be aware that there are many companies out there that have policies that do not even apply to them or even name another company!

We’ve seen text similar to the following in a lot of policies we’ve looked at:

“Transfers outside the European Economic Area

Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA)”

Okay, this could be fine, but then there’s usually more:

“These countries may not have data protection laws equivalent to those in force in the EEA.”

We’ve actually seen this exact wording whilst auditing websites and this is not good. Generally, data should not be transferred outside the EU. If it is, it should only be to a country that has legislation guaranteeing an equivalent level of protection.

It is up to you to ensure your customer’s data is adequately protected. It isn’t enough to notify customers that their data may be sent to a location where it won’t be adequately protected.

The policy mentioned above would then go on to say:

“If we transfer Data outside the EEA in this way, we will take steps with the aim of ensuring that your privacy rights continue to be protected as outlined in this privacy policy. You expressly agree to such transfers of Data.”

Ensure Your Customer’s Privacy Rights

It’s good to “take steps with the aim of ensuring that [your customer’s] privacy rights continue to be protected as outlined in [your] privacy policy”, but the only way to do that is to comply with the GDPR and not transfer any data outside the European Economic Area, unless that other country can offer an equivalent level of protection under law and you are able to demonstrate the organisation you’re working with has adequate protections.

Remember to check your privacy policies. Even if yo believe you are compliant, your privacy policy  may not have been updated adequately. You may need to change some wording or delete parts of your current privacy policy in order to be compliant with the GDPR.

Although a robust privacy policy is an important part of being GDPR compliant, it is only one part of compliance. This brings us to what is still the most useful tool we can use to reach our audience; email marketing.

Email Marketing

Efficient email marketing needs us to rely upon a third party to provide the service. By uploading your list of subscribers, you may be transferring data outside of the EU. The most important thing to remember is:

  1. Make sure the data is held securely
  2. Make sure everyone on your list wants to be there

In terms of non-EU based services, if you’re using something like Mailchimp, you should be fine as the United States currently has agreements in place with the EU governing the use of personal data that are currently regarded as being equal to the GDPR.

MailChimp are very strict and use safeguards to ensure they are not sending spam emails. To do this, MailChimp use a double opt in method to subscribe new users. A double opt-in is just one way to help prove your subscribers actually wanted to be on your list in the first place, although it isn’t the only way.

You may need to demonstrate that your user’s data is safe, so you can read more about how MailChimp keep your data secure here.

Read more about MailChimp and the GDPR here.

Compliance Programme

We’ve looked at two marketing specific areas, but it’s important not to overlook our staff, as they also have an important part to play in data protection. GDPR requires accountability, which requires good record keeping to demonstrate compliance. Including staff in GDPR changes is very important.

If you’re using service management software to log jobs and verify completion, you will be gathering a lot of data. Some of it corporate and some of it personal. A lot of the data will be collected by your engineers, including images of customer property.

As with email marketing providers, you need to ensure your service management software provider is GDPR compliant. It’s also essential that your customers understand their data is being kept securely. Employees need to be included in GDPR changes and understand why data protection is important for your customers.

Implementing the Programme

Be honest and up-front about your use of software, how it is stored and what you do with it once it has been collected. This goes for both staff and customers. Making sure your service management software provider will give you your data should you choose to leave them and not use it for their own marketing is an important guarantee to have.

Staff need to understand that your customer’s data is precious. Because engineers will be using mobile devices in the course of their duties, you must ensure they keep devices secure. Your staff should be trained to use passwords to unlock the devices and to log into your service management software app or web page.

Back at the office, your computers should be password protected and encrypted to guard against the theft of data. It can be common practice even, in the most critical of data security environments, to share passwords. Passwords should never be shared between users. Any paper records that are printed should be shredded and securely disposed of.

Have processes for keeping and managing data that is easy to understand so all of your staff can follow them. Keep written records and policies that will show that you are being compliant.

GDPR Evolution not Revolution

Although GDPR is new, a lot of its core philosophies already exist in legislation such as the Data Protection Act 1998. GDPR itself is often common sense and a matter of respecting the privacy of others. Think about how you can keep data securely, use it in a fair manner and be transparent with the people and organisations you hold and process data about.

GDPR doesn’t have to be scary, it’s more of an evolution; a reminder of the responsibilities we have to others. If you’re unsure about how the GDPR affects your organisation, the best place to go is the ICO website, which has lots of guidance on regulation.

If you’d like to talk about your privacy policy or GDPR compliant email marketing, we’re here to talk. Let us know what GDPR checks you’ve been doing in the comments below.