Category: GDPR

 

1. “I DIDN’T REALISE GDPR APPLIED TO ME”

The biggest trap Network Marketers could fall into is to assume that “the GDPR is only for big companies; it doesn’t apply to my network marketing business because that’s just me”. Alternatively, it might be assumed that if your business just uses email addresses and phone numbers of friends, family and others you know personally, the GDPR does not apply because this data is used in routine “household activity” anyway.

Both these assumptions are incorrect. It doesn’t matter where your business is based, how big it is, how much personal data you collect or what you use it for. The only thing that matters is whether you collect EU residents’ personal data. Likewise, whilst using data solely for personal use does fall outside of the GDPR, as soon as you start using the data for your network marketing business, such as communicating with your contacts about your products or services and the business opportunity, then the GDPR regulations will apply to you.   

2. “YOU DON’T ALWAYS NEED CONSENT?!”

Many businesses owners think they need consent to process people’s data lawfully and this requirement can certainly be seen as getting in the way of building new relationships when you are prospecting to build your network.

What’s less well known is that there are 6 ways in which you can establish a legal ground for processing personal data in your business. Not all of these are relevant to a network marketing business but one is and it can be easier than establishing “consent”.  This would be the case where you enter into a contract with an individual to supply goods or services they have requested. Remember, a business contract does not need to be written – it can just be a verbal undertaking between you and your customer that they will pay for products or services that you will be supplying. This gives you a legitimate reason for holding necessary personal data about your customer.

3. “AM I A CONTROLLER OR A PROCESSOR?”

The GDPR splits the legal responsibilities for handling personal data into two categories: data controllers, who determine the purpose for collecting personal data and how it will be processed, and data processors, who are responsible for processing personal data on behalf of data controllers.

• Am I data controller? Yes, if you…

…collect and record personal data about your customers, prospects or other business contacts… Personal data includes even basic information such as names, telephone numbers, email addresses and so on. So, as a network marketer, you most likely will be a data controller.

• Am I a data processor? Yes, if you…

…process personal data. If you use your own systems, such as spreadsheets or other database applications, then you could be a data processor as well as a data controller.

This might seem simple enough, but the relationship between controllers and processors is not usually straightforward. Businesses are often data controllers in some scenarios and processors in others. The responsibilities for data controllers and data processors are different, so it’s essential that everyone involved in data collection is aware of their role. There also might be multiple data processors for the same data, for example, if you use an app or CRM system to process your network’s personal data. What will really help with your compliance is to make sure that any platform that you use is also GDPR compliant, such as Pamtree, which offers a GDPR-compliant contract between it (as your data processor) and you as the data controller.  However, remember that this will only fulfil part of your data protection responsibilities under GDPR.

Are you struggling to get your head around GDPR? If so, what would make your life simpler? Here at Pamtree, we’re all about making it as easy as possible to run your network marketing business, so let us know and we’ll be happy to help where we can.

 

 

This first of two blog posts on the subject of GDPR legislation looks at what it covers and who it applies to.

GDPR stands for General Data Protection Regulations. It’s a piece of European Union legislation that will apply widely to businesses that control or process personal data about EU citizens and is designed to give individuals more control and rights over the use of their personal data. Each country in the EU will introduce its own legislation to mirror the EU-wide GDPR rules and the UK is no exception, so “Brexit” will not affect the need to get ready and comply with GDPR!

The responsibility of policing the GDPR in the UK, from its implementation date of 25 May 2018, will fall to the Information Commissioner’s Office (ICO) and businesses that process personal data must register with the ICO annually. There are penalties for non-compliance with GDPR and data beaches (such as the theft of personal data) must be reported within 72 hours.

As a network marketer, capturing and keeping up to date personal information on your contacts and prospects is a central part of building your business.  GDPR requirements may seem daunting but they will apply to you whether you simply keep that information on a spreadsheet or are using leading-edge systems like Pamtree. It’s therefore important that you get up to speed with what your own responsibilities are and also use 3^rd party systems that you can be sure are GDPR compliant.

GDPR introduces a new distinction between “data controllers” and “data processors” and sets out the responsibilities of each of these roles. So even if you use a 3^rd party system as your data processor, you will still have certain requirements to comply with GDPR as a “data controller”. However, if you take sensible measures to adhere to the overall requirements of GDPR, it is unlikely this distinction will be problematic for small businesses.

A few key areas are worth focusing on:

• Work out what types of personal data you are recording and using (for example name, address, email, bank details, photos). If you record sensitive or special category data (for example health details, religious views, information about children) you’ll need to be especially diligent and special provisions can apply.
• There needs to be a clear, legitimate basis for holding the data. Consent is one basis and you are relying on consent to process personal data the consent has to be clear, specific and explicit and you should document this. Alternatively, a business contract (which can be a verbal contract, for example, when you agree with your customer that they will buy products or services) is also a legitimate reason for holding necessary personal data.
• Think about basic security around the data you hold. Have in place some basic documentation covering GDPR-compliant security measures and policies. This could include a statement of how often you will change passwords; how you check compliance of 3^rd party data processors; how you restrict physical access to the data; and on your computer, that you will use and keep up to date firewall and anti-virus software.
• Individuals will have the right to access any of their personal data, correct inaccuracies. possibly object to you processing it, or asking for all of their personal data to be deleted. Requests have a one month deadline of one month, so you need to be able to respond.
• Check your supply chain to ensure that all suppliers are also GDPR compliant. This will help you avoid being impacted by any breaches and consequent penalties they may face.
• Under GDPR, you’ll have to tell individuals your purpose for using their personal data. The ICO’s detailed, guidance on privacy notices can be found here.

These are just some aspects of GDPR. There is a lot of reference material available on the internet on this, but much of it can be technical and a bit overwhelming. However, if you want to look up something with a bit more detail than we can fit in here, a good article for small businesses has been written by Simply Business and can be accessed here.

Keep your eyes pealed for our follow up article: ‘3 GDPR Traps to Avoid’ which will be following shortly.