This first of two blog posts on the subject of GDPR legislation looks at what it covers and who it applies to.
GDPR stands for General Data Protection Regulations. It’s a piece of European Union legislation that will apply widely to businesses that control or process personal data about EU citizens and is designed to give individuals more control and rights over the use of their personal data. Each country in the EU will introduce its own legislation to mirror the EU-wide GDPR rules and the UK is no exception, so “Brexit” will not affect the need to get ready and comply with GDPR!
The responsibility of policing the GDPR in the UK, from its implementation date of 25 May 2018, will fall to the Information Commissioner’s Office (ICO) and businesses that process personal data must register with the ICO annually. There are penalties for non-compliance with GDPR and data beaches (such as the theft of personal data) must be reported within 72 hours.
As a network marketer, capturing and keeping up to date personal information on your contacts and prospects is a central part of building your business. GDPR requirements may seem daunting but they will apply to you whether you simply keep that information on a spreadsheet or are using leading-edge systems like Pamtree. It’s therefore important that you get up to speed with what your own responsibilities are and also use 3rd party systems that you can be sure are GDPR compliant.
GDPR introduces a new distinction between “data controllers” and “data processors” and sets out the responsibilities of each of these roles. So even if you use a 3rd party system as your data processor, you will still have certain requirements to comply with GDPR as a “data controller”. However, if you take sensible measures to adhere to the overall requirements of GDPR, it is unlikely this distinction will be problematic for small businesses.
A few key areas are worth focusing on:
- Work out what types of personal data you are recording and using (for example name, address, email, bank details, photos). If you record sensitive or special category data (for example health details, religious views, information about children) you’ll need to be especially diligent and special provisions can apply.
- There needs to be a clear, legitimate basis for holding the data. Consent is one basis and you are relying on consent to process personal data the consent has to be clear, specific and explicit and you should document this. Alternatively, a business contract (which can be a verbal contract, for example, when you agree with your customer that they will buy products or services) is also a legitimate reason for holding necessary personal data.
- Think about basic security around the data you hold. Have in place some basic documentation covering GDPR-compliant security measures and policies. This could include a statement of how often you will change passwords; how you check compliance of 3rd party data processors; how you restrict physical access to the data; and on your computer, that you will use and keep up to date firewall and anti-virus software.
- Individuals will have the right to access any of their personal data, correct inaccuracies. possibly object to you processing it, or asking for all of their personal data to be deleted. Requests have a one month deadline of one month, so you need to be able to respond.
- Check your supply chain to ensure that all suppliers are also GDPR compliant. This will help you avoid being impacted by any breaches and consequent penalties they may face.
- Under GDPR, you’ll have to tell individuals your purpose for using their personal data. The ICO’s detailed, guidance on privacy notices can be found here.
These are just some aspects of GDPR. There is a lot of reference material available on the internet on this, but much of it can be technical and a bit overwhelming. However, if you want to look up something with a bit more detail than we can fit in here, a good article for small businesses has been written by Simply Business and can be accessed here.
Keep your eyes pealed for our follow up article: ‘3 GDPR Traps to Avoid’ which will be following shortly.