Posted: Thu 4th Aug 2022
Following his barnstorming Lunch and Learn webinar on this very topic, Michael Buckworth follows up with a blog post talking all things GDPR.
Before we get into the five steps you must do to nail GDPR, here are five things you may not know about GDPR:
GDPR is a journey, not a destination. GDPR is about understanding the personal data you process, the legal basis on which you process it, and what you do with it. Personal data is what identifies an individual (e.g., name, address, email address etc.).
As a business owner, you need to ask yourself what it is I am collecting, why am I collecting it, and what am I going to do with it. You then must explain to your customers all of that and ensure that you process it in compliance with the law. This is an ongoing process that you continuously need to think about as a founder.
You may not mean GDPR. GDPR is the original EU legislation, incorporated into UK law by Data Protection Act 2018. Since Brexit, the UK has made moderate changes to the version, so-called UK-GDPR. If you only process personal data within the UK about data subjects located in the UK, then your obligation is to comply with the data protection legislation in the UK.
However, if you are processing data in Europe, then you will need to comply with the EU legislation. The same goes for regions outside the UK and EU where you will need to understand the jurisdiction’s own data protection laws and ensure you comply with those.
An example of this is a service provider like CRM that collects data on your behalf. Data processing agreements should be in place with processors requiring them to process personal data in a compliant manner. If they transfer to a country that doesn’t have an equivalent regime to the UK - including the US, you will need to put in place Standard Contractual Clauses (SCCs) with the processor.
Compliance is risk management. Everything to do with businesses is about risk management. Data protection acts exactly the same way. UK-GDPR encourages businesses to take a risk-based approach to compliance. In other words, if what you are doing is low risk in terms of data protection (name, address, email), then you’ll have to do less in terms of compliance, and if what you are doing is high risk (sensitive data) then you’ll be obliged to a higher compliance.
For example, if you are a beauty therapist and you collect the name and mailing addresses of your clients to send them a birthday card – this is considered low risk. However, if you own an online GP practice, where customers engage with doctors through apps and video calls and disclose personal health data information, this is seen as sensitive data and therefore more high risk. Data risk management is crucial to your business; you need to consider the types of data you process, their sensitivity if disclosed, the likelihood of loss of data, and so on.
Customers are the problem…and the solution. Where GDPR comes, customers or people you are dealing with may make complaints against your business. The best way to avoid this is by preventing complaints from happening. When setting up your compliance, you should consider ways of establishing trust with your customers. So, what should you not do?
Spamming – sending numerous emails annoys people and risks complaints
Cold calling – noting angers busy people more than getting an unsolicited sales call
Not responding to questions and complaints about data protection. In many cases, this is down to poor customer service where complaints have been ignored or mishandled and dealt with in the wrong way. Make sure those are resolved with quickly, properly, and accurately.
Provide an opt-out button to give people the choice to unsubscribe from your marketing mailing lists.
Identify and map personal data – understand exactly where data is coming from and where it’s going to
Figure out the legal basis for processing – UK-GDPR sets out the legal justifications for processing personal data such as consent, legitimate interest, and contractual obligation
Do you transfer personal data outside of the UK/EU? If you transfer data to a service provider, and they are consequently storing it outside the UK or EU, that is a transfer out. You must ensure you have the correct legal documentation in place to authorise that
Make your team aware of obligations and prep your customer services team. Personally, I think this is the most important. Ensure your team understands the way you process personal data, what you do with it and how they should respond to queries. If you can nail the client interaction and make sure your customer team respond in the right manner, you can shut down a lot of potential complaints before they get too far.
Finally, be sure to connect with him on Enterprise Nation for more business support.